On Mon, May 18, 2015 at 10:45:50PM +0300, IETF Chair wrote: > The Mailman passwords are emailed in plain text, which is > generally considered a poor practice from a security standpoint. These are low-value secrets. It doesn't matter if they go over e-mail in cleartext. What really matters though is that users be able to access the features that these passwords have enabled thus far: - unsubscribing - changing one's subscribed address (this is incredibly useful, since mailman allows mass-changing the subscribed address, so if one is subscribed to 50 IETF lists and one needs to change the subscribed address, a single change will suffice for all, instead of having to do 50 manual changes) - accessing moderation and other manager features (for list owners/moderators) These operations can't be made much harder than they are now. I, and I suspect most everyone else, WILL NOT keep a password database for these passwords, and we won't memorize them either. I'm not opposed to not e-mailing these passwords periodically, or even not e-mailing them at all, as long as there's a way to access the above features without having to memorize these silly passwords. Forcing users to go through a password reset every time will do, but note that that's pretty much the same thing as... sending passwords in cleartext in e-mail! The one security-relevant difference between e-mail list password reset and e-mail list password reminders is that password reset tokens generally expire. Both are utterly low-value, neither requires cryptographic protection. If all you're doing is no longer mailing these _periodically_, then that's OK, and if it helps operationally, so much the better. But please don't bill this as a great security improvement -- it's not. Nico --