Hello all, and thanks for your quick and thoughtful replies. I only realized today that I didn't send a copy of the message I was referring to - it is a monthly mailing and is below. Yes, I had not noticed that the auto-email could be disabled - which I did, and agree that it should be set administratively if at all possible. I'm encouraged that you're working on complete a solution to this, too, and thanks for the references to the blog posts. Perry Engle -----Original Message----- From: mailman-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:mailman-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of mailman-owner@xxxxxxxxxxxxxxxxxxxxxx Sent: Thursday, November 01, 2012 1:06 AM To: Engle, Perry Subject: lists.fedorahosted.org mailing list memberships reminder This is a reminder, sent out once a month, about your lists.fedorahosted.org mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list. You can visit the URLs to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. In addition to the URL interfaces, you can also use email to make such changes. For more info, send a message to the '-request' address of the list (for example, mailman-request@xxxxxxxxxxxxxxxxxxxxxx) containing just the word 'help' in the message body, and an email message will be sent to you with instructions. If you have questions, problems, comments, etc, send them to mailman-owner@xxxxxxxxxxxxxxxxxxxxxx. Thanks! Passwords for pengle@xxxxxxxxx: List Password // URL ---- -------- trusted-computing@xxxxxxxxxxxxxxxxxxxxxx [password was here] https://lists.fedorahosted.org/mailman/options/trusted-computing/pengle%40mitre.org lumberjack-developers@xxxxxxxxxxxxxxxxxxxxxx [and here] https://lists.fedorahosted.org/mailman/options/lumberjack-developers/pengle%40mitre.org -----Original Message----- From: Stephen John Smoogen [mailto:smooge@xxxxxxxxx] Sent: Tuesday, November 06, 2012 11:29 AM To: Kévin Raymond Cc: Engle, Perry; webmaster@xxxxxxxxxxxxxxxxx Subject: Re: Clear text passwords On 6 November 2012 08:34, Kévin Raymond <shaiton@xxxxxxxxxxxxxxxxx> wrote: > Le lundi 05 nov. 2012 à 22:04:07 (+0000), Engle, Perry a écrit : >> Hello - It's been happening for a while, but it's really (really) time to end storing clear text passwords in the database. It's *LONG* past time to send them in email to your users. >> >> If you'd like proof, go to >> >> http://plaintextoffenders.com/submit >> And >> http://krebsonsecurity.com/2012/06/naming-and-shaming-the-plaintext-offenders/ >> >> Of all places, Fedora and Red Hat should be leading this charge. > > Hi, > > I suppose you refer to the Mailman monthly reminder? > I agree, we can ask all the mailing lists admin to disable this "feature". Originally the passwords were set up in the default way but this spring I changed many of the users passwords to the randomly chosen method (16 character random string). I removed all ways for the user to change the password so the only way for them to know what the password is via a reminder. I looked at that time on either hashing the passwords in mailman or some other method, and it was non-trivial. I am waiting for the hyperkitty implementation for a real fix. -- Stephen J Smoogen. "Don't derail a useful feature for the 99% because you're not in it." Linus Torvalds "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." -James Stewart as Elwood P. Dowd -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/websites
