Security issues: passwords are stored in plaintext
Bug #1501762 reported by
Steeve McCauley
This bug report is a duplicate of:
Bug #265179: Security hole: passwords mailed in clear.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
New
|
Undecided
|
Unassigned |
Bug Description
Passwords for the mailing list users are stored in plaintext, and mailed to the users each month as "reminders" by default.
Passwords should be hashed securely using modern hashing methods and the password thrown away. Mailing passwords in plaintext is something that was acceptable in 1992, barely. Doing so in 2015 is insane.
At the very least the default setting of mailing out users passwords in plaintext should be eliminated. Password recovery methods should be modernized.
information type: | Private Security → Public Security |
To post a comment you must log in.
This is a well known, long standing issue. See <https:/ /bugs.launchpad .net/mailman/ +bug/265179>. It is fixed in Mailman 3. It won't be fixed in Mailman 2.1, but you can stop sending monthly reminders by removing the crontab entry that sends them.