On May 9, 2009, at 4:51 PM, Bernd Petrovitsch wrote:
- Depending on the security situation of your laptop/desktop/..., most browsers allow you to let them remember the password for you. So you have to really enter it only the first time.
Everyone who is concerned about security should be very strongly encouraging users to use good password management systems. If a user doesn't switch between browsers and clients than the password management systems in most browsers is good enough. For other users, other solutions are needed. On the Mac, I'm a very big fan of 1password which works as a plug-in for several browsers, is set up for smart syncing of your keychain across systems and has a number of other very well thought out design elements. I've not really looked at password management systems for other platforms, but I'm sure that there must be some good ones out there.
Bringing this back to discussion of mailman, mailman helps illustrate exactly why a good password management system is needed. Mailman passwords are low value, low security. That is, there really isn't too much damage that can be done with a password compromise (thus "low value"). Also they get sent around in unencrypted email and typically are used on unencrypted HTTP connections. Thus they are relatively easy to get at.
But more most users they are very infrequently used. Thus, they are extremely unlikely to be remembered unless stored on the users system (reminder emails). But because they are unlikely to be remembered, if users do set them, then it is very likely that users will use a password scheme that is predictable.
That is they will either use the same password that they use on more high value systems, or they will use a variant of such a password. That is, they might use "mm-sekret" for mailman and "ba-sekret" for their Bank of America account. But mailman systems shouldn't be asked to treat your password as your banking password, but only as your mailman password.
A good password management system means that your individual passwords are not things that any human needs to remember. This frees them up to be both strong individually and independent of each other, so that the compromise of one of your passwords doesn't expose any of your others.
In my instructions to users, I added some explanation about these low security passwords
http://lists.shepard-families.org/#sec-passwd -j -- Jeffrey Goldberg http://www.goldmark.org/jeff/ ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
