[Fwd: [Snowball-discuss] Do not send passwords in the clear!]

Tolkin, Steve Steve.Tolkin@FMR.COM
Tue Oct 1 17:53:02 2002 

Actually it is possible to make changing passswords much more secure.
A request to change a password sends a confirmation number to the 
currently known email address, and this number must be provided
on the web page.  That prevents an attacker who cannot intercept
the target's email, which is reasonably difficult.

But coding this is probably not worth while for a low
security topic like Snowball.

 
Hopefully helpfully yours,
Steve
-- 
Steven Tolkin          steve.tolkin@fmr.com      617-563-0516 
Fidelity Investments   82 Devonshire St. V8D     Boston MA 02109
There is nothing so practical as a good theory.  Comments are by me, 
not Fidelity Investments, its subsidiaries or affiliates.



> -----Original Message-----
> From: Richard Boulton [mailto:richard@tartarus.org]
> Sent: Tuesday, October 01, 2002 12:43 PM
> To: Snowball discussion list
> Cc: Steve Tolkin
> Subject: [Fwd: [Snowball-discuss] Do not send passwords in the clear!]
> 
> 
> Steve,
> 
> Sorry about that, I meant to turn off the mailman option to send the
> monthly reminders.  Mailman sets this option by default, but it isn't
> really useful, and as you point out is a bit of a security issue.  The
> option is only available as a global setting across all users of the
> list.  I've changed it, so no future monthly reminders should be sent.
> 
> Users can always request sending of their password if they 
> forget it by
> visiting their settings page.  (Of course, so can any other attacker.)
> 
> Of course, the passwords are sent in the clear whenever you 
> change your
> options anyway, and for this reason they are not meant to provide more
> than mild security.   I believe it is made clear on the 
> webpage that you
> shouldn't use the same password for the list as for anything else you
> want to keep secure.
> 
> -- 
> Richard
> 
> PS: you found the way to stop it sending you monthly reminders with
> plaintext passwords.
> 
> -----Forwarded Message-----
> 
> From: "Tolkin, Steve" <Steve.Tolkin@FMR.COM>
> To: 'richard@tartarus.org' <richard@tartarus.org>
> Cc: 'snowball-discuss@lists.tartarus.org.' 
> <snowball-discuss@lists.tartarus.org>
> Subject: [Snowball-discuss] Do not send passwords in the clear!
> Date: 01 Oct 2002 08:53:45 -0400
> 
> I decided to unsubscribe from the snowball mailing list 
> http://lists.tartarus.org/mailman/listinfo/snowball-discuss
> because I could not find a way to prevent it from including 
> my password
> in the clear, i.e. not encrypted, in the monthly reminders.
> 
> You should never mail out passwords unless specifically requested.
> 
> or there shoul dbe an optin to suppress this, and it should 
> be the default.
> 
> In fact there is no need to send out monthly reminders, so there
> should be an option to suppress those too.
> 
>