hashes passwords before storing them and does not by
default send passwords monthly (it cannot) to users. I believe WMF Ops is aware of this
and will upgrade as soon as is practical, although of course I don't know for sure.
On Fri Nov 13 11:42:05 2015 GMT-0500, James Hare wrote:
On Friday, November 13, 2015 at 11:39 AM, Merlijn van
Deen wrote:
On 13 November 2015 at 17:06, Risker
<risker.wp(a)gmail.com (mailto:risker.wp@gmail.com)> wrote:
At the same time, we should keep in mind that the core issue here is that a few
listadmins appear to have used the same password for listadmin duties as they were using
for other accounts. All the password protection systems in the world are not going to
change what happened here, if people are going to use obviously insecure, shared passwords
as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman
stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me
prompting it. Email is not secure. I use a throwaway password for Mailman for that reason.
Frankly, it’s embarrassing we still use this software.
Regards,
James Hare