Security hole: passwords mailed in clear
Bug #265179 reported by
Lpd-users
This bug affects 8 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
I recently signed up on a SourceForge mailing list. The software mailed a
confirmation notice to my mailbox, with the password in clear in the
message. This is a basic security hole. I reported this as a SourceForge
bug, and they said "Contact the gnu-mailman project."
In my opinion, passwords should never be mailed in clear, especially not to
the e-mail address with which they are associated. Please consider changing
this.
[http://
Changed in mailman: | |
status: | Invalid → Confirmed |
status: | Confirmed → Fix Released |
Changed in mailman: | |
status: | Fix Released → Invalid |
To post a comment you must log in.
The Mailman password is in no way a secure password. Mailman is intended
for a wide variety of users, most of which are unable to remember even the
simplest password ;)
The Mailman password is not used as an authentication method, but more as
a *confirmation* method. You'll get a password reminder every month or so
(if the list admin and site admin enabled that) and the only thing you use
the password for are for unsubscribing, changing your options and viewing
the private archive (if any.)
In future versions of Mailman it might be possible to use external
passwords for mailinglist subscribers, but currently the infrastructure for
that is missing. It's on the TODO list, in any case :)