On Feb 10, 2005, at 7:02 AM, Barry Warsaw wrote:
I think CAN-2005-0202 gives us the opportunity to finally implement what
we have long considered an embarrassing exposure in Mailman's config.pck
databases. Member passwords are kept in this database in the clear.
The obvious fix is to hash member passwords and keep only the hash in
the database.
+1
As for #2, well, I think most people hate those password reminders anyway,
yes. we have some folks on our lists who send us monthly "why haven't you stopped doing this yet?" messages. it'd almost be amusing, if it weren't so annoying... (grin)
To do this for 2.1.6, we'd have to change the "Email My Password To Me" feature in the options page and in the member login page. These would have to become a "create a new password for me" feature.
+1
The downside to doing this now is that it's more coding work for 2.1.6
and I'd like to get the new version out asap. Still, this seems like an
opportunity that we shouldn't lightly dismiss.
get the patch out with 2.1.6, then do 2.1.7 with the new password stuff. I think that's reasonable.
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
