[Fwd: [Snowball-discuss] Do not send passwords in the clear!]

[Richard Boulton]

Steve,

Sorry about that, I meant to turn off the mailman option to send the
monthly reminders.  Mailman sets this option by default, but it isn't
really useful, and as you point out is a bit of a security issue.  The
option is only available as a global setting across all users of the
list.  I've changed it, so no future monthly reminders should be sent.

Users can always request sending of their password if they forget it by
visiting their settings page.  (Of course, so can any other attacker.)

Of course, the passwords are sent in the clear whenever you change your
options anyway, and for this reason they are not meant to provide more
than mild security.   I believe it is made clear on the webpage that you
shouldn't use the same password for the list as for anything else you
want to keep secure.

-- 
Richard

PS: you found the way to stop it sending you monthly reminders with
plaintext passwords.

-----Forwarded Message-----

From: "Tolkin, Steve" <Steve.Tolkin@FMR.COM>
To: 'richard@tartarus.org' <richard@tartarus.org>
Cc: 'snowball-discuss@lists.tartarus.org.' <snowball-discuss@lists.tartarus.org>
Subject: [Snowball-discuss] Do not send passwords in the clear!
Date: 01 Oct 2002 08:53:45 -0400

I decided to unsubscribe from the snowball mailing list 
http://lists.tartarus.org/mailman/listinfo/snowball-discuss
because I could not find a way to prevent it from including my password
in the clear, i.e. not encrypted, in the monthly reminders.

You should never mail out passwords unless specifically requested.

or there shoul dbe an optin to suppress this, and it should be the default.

In fact there is no need to send out monthly reminders, so there
should be an option to suppress those too.