Steve,
Sorry about that, I meant to turn off the mailman option to send the
monthly reminders. Mailman sets this option by default, but it isn't
really useful, and as you point out is a bit of a security issue. The
option is only available as a global setting across all users of the
list. I've changed it, so no future monthly reminders should be sent.
Users can always request sending of their password if they forget it by
visiting their settings page. (Of course, so can any other attacker.)
Of course, the passwords are sent in the clear whenever you change your
options anyway, and for this reason they are not meant to provide more
than mild security. I believe it is made clear on the webpage that you
shouldn't use the same password for the list as for anything else you
want to keep secure.
-- RichardPS: you found the way to stop it sending you monthly reminders with plaintext passwords.
-----Forwarded Message-----
From: "Tolkin, Steve" <Steve.Tolkin@FMR.COM> To: 'richard@tartarus.org' <richard@tartarus.org> Cc: 'snowball-discuss@lists.tartarus.org.' <snowball-discuss@lists.tartarus.org> Subject: [Snowball-discuss] Do not send passwords in the clear! Date: 01 Oct 2002 08:53:45 -0400
I decided to unsubscribe from the snowball mailing list http://lists.tartarus.org/mailman/listinfo/snowball-discuss because I could not find a way to prevent it from including my password in the clear, i.e. not encrypted, in the monthly reminders.
You should never mail out passwords unless specifically requested.
or there shoul dbe an optin to suppress this, and it should be the default.
In fact there is no need to send out monthly reminders, so there should be an option to suppress those too.
This archive was generated by hypermail 2.1.3 : Thu Sep 20 2007 - 12:02:43 BST