I do routinely disable the monthly password reminders though - there's enough in the web admin that people can retrieve their passwords if they really need them.
Bob
JC Dill wrote:
Florian Weimer wrote:
Last time I checked, Mailman lables its member-only archives "private", and the implicit promise to keep things posted to the list private is not kept if the software assigns easily guessed to new members.
I can only repeat that Mailman's current behavior surprises your users *a* *lot*,
I disagree.
So called "private" archives are only kept from prying eyes until those eyes subscribe at which time they are then visible. As I see it, the point of Mailman's security measures is not to keep anyone "else" from ever viewing the archives, it is to keep random web browsers and web spiders from accessing the archives. If someone has the ability to script a password guessing algorithm to try to guess an acceptable username/password pair to access the archives, they can more easily script a program to subscribe, confirm, and then access the archives as a subscriber. Plus, no matter how simple or secure the password, if you are scripting a password cracker then it's just a matter of time, the more easily guessed password is cracked *faster* (on average) but even "secure" passwords will be cracked eventually.
If your mailing list archives need greater security than this, then you need a different system. I don't think it is necessary or useful for Mailman to be the system that meets those needs, especially at the cost of making Mailman less useful for others who don't need such strong security measures for their list archives.
I would love to see a cite for your claim of "leads to security breaches". Do you know of actual cases where someone has gained access to private archives by cracking a mailman generated semi-random password rather than by simply subscribing, or by gaining access to a single password thru intercept or social engineering means?and leads to security breaches.
jc
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
