Kirke Johnson writes: > I am concerned that list owners can put insecure admin passwords on > their lists. My testing suggests that short passwords are accepted as > well as alpha-only. The only control I have found is the length of > admin passwords generated by Mailman. I have not located anything > else that would enforce even minimal password security. > > Am I missing something here?
No, except that there are other security issues with all Mailman passwords. Specifically, that these transactions are conducted over unencrypted channels anyway. I think the passwords are also stored in clear on the server (those of the list members are, since they appear in monthly reminders) but I could be wrong about that. It would be easy to add checks, I suppose, but you'd have to decide what checks you want. I don't think it would be much more difficult to add the concept of a user-supplied checker. Dealing with the link and storage security issues would be more complex. You'll have to wait for Mark to speak up to find out if there are any plans in 2.2. For Mailman 3, I suspect this is all still pretty much up in the air. Check the wiki and maybe post a feature request to Mailman-Developers. I suggest posting a feature request to the tracker in any case so the suggestion won't get lost. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
