On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote:
On 13 November 2015 at 17:06, Risker
<risker.wp(a)gmail.com (mailto:risker.wp@gmail.com)> wrote:
At the same time, we should keep in mind that the core issue here is that a few
listadmins appear to have used the same password for listadmin duties as they were using
for other accounts. All the password protection systems in the world are not going to
change what happened here, if people are going to use obviously insecure, shared passwords
as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman
stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me prompting
it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly,
it’s embarrassing we still use this software.
Regards,
James Hare