Hold on. As a list administrator for 3 lists, I received emails to change the listadmin password for all three, and have done so and shared the new password with the rest of the list admins.
However, as a list subscriber, I have yet to receive an email telling me that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users.
- Do subscribers have to change their password for each WMF-based mailman mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.)
- If not, what happens to those subscriptions? are they discontinued if the user does not update his or her password, or do they just continue?
I think that there are a lot of valid points being made about the inherent problem of having listadmin passwords that are not user-specific. At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
Risker/Anne