Comment 8 for bug 266821

Are you aware that the bug you made this a duplicate of is marked as
invalid.

On Tue, Oct 2, 2012 at 6:49 AM, Mark Sapiro <email address hidden> wrote:

> *** This bug is a duplicate of bug 265179 ***
> https://bugs.launchpad.net/bugs/265179
>
> ** This bug has been marked a duplicate of bug 265179
> Security hole: passwords mailed in clear
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/266821
>
> Title:
> privacy hole in password reminder
>
> Status in GNU Mailman:
> Triaged
>
> Bug description:
> Mailman sends me password reminders in plain text. I
> can disable this feature, but other users can manually
> make it send a reminder just as if I had forgot the
> password, with no other question being asked. If smart
> enough to intercept that message, the attacker could:
>
> 1) Get my password;
> 2) get my IP in the mail header.
>
> Possible solutions:
>
> 1) Some sites and programs use a "secret question"
> which right answer would give the user the chance to
> get a password reminder.
>
> 2) The password could be prompted in a secure html
> page. I find this safer, as compared to plain text mails.
>
> [
> http://sourceforge.net/tracker/index.php?func=detail&aid=1441723&group_id=103&atid=350103
> ]
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mailman/+bug/266821/+subscriptions
>