On 07/12/14 07:25, Ez Egy wrote: ... > Why in the hell does the lists.openbsd.org stores the passwords in > plaintext? ... > Things against storing passwords in cleartext: > - if the server is compromised, all the passwords will be out.. there are > always idiots that use the same password for everywhere.. > - http://plaintextoffenders.com/
1) a pw is not needed to utilize the mail lists. 2) the default pw is set by the list server, NOT the user. --> so if someone uses the same pw elsewhere, they /actively/ chose this path! > Solutions: > - store the passwords in bcrypt? I'm not seeing a problem that needs a solution. You provide me another example of my recent rants on losing track of goals in favor of means to meet those goals. Your general statement that PWs should not be "stored" is /generally/ a good suggestion towards the goal of security. BUT IT IS NOT THE GOAL. majordomo does a very good job of never needing a password -- you can subscribe to the lists, unsubscribe from the lists, etc. NEVER USING A PASSWORD. This is a plainly superior to the various web services which insist on you defining PWs for something anyone can download (IF you "register"), and might need to use maybe once a year or so (I'm glaring at you, VMware). This design is (in my opinion) BETTER than a pw-obsessed web-app. I've been subscribed to OpenBSD mail lists since the 2.5 days (over 16 years!), and NEVER needed to use my list password. This is good design in my opinion. If I DID need it, you think I could actually find my majordomo pw? If your majordomo pw is sync'd with any PW anywhere else in the world, YOU chose to set your pw, and there's not much we can do to keep you from hurting yourself that way. Nick.
