The problem isn't plain text emailed passwords. The *real* problem is storing plain text passwords on the server that runs mailman. If that server gets compromised, the attacker has a list of email addresses and passwords. I guess you all heard about the recent problems with Sony's Playstation Network (PSN). One of the biggest problems there was that Sony stored plain text passwords. If you Google for "plain text passwords", you will see thousands of articles that advise against it, and none that recommend it. Storing plain text passwords in a database is a security antipattern.
Passwords should always be one-way encrypted (hashed), and preferably well salted. This is a website that shames Plain Text Offenders: http://plaintextoffenders.com/ Mailman should be added to that website, and Ubuntu should add a very clear security warning to Mailman. Other (more secure) mailing list software should be advised, or a more secure (patched) version (MM 2.1, 3.0, whatever) should be used. Canonical/Ubuntu itself currently uses Mailman for it's community mailing lists (ubuntu-users etc...). This should be seriously evaluated. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/266821 Title: privacy hole in password reminder _______________________________________________ Mailman-coders mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-coders
