Clear text passwords
Tom Callaway
tcallawa at redhat.com
Tue Nov 6 15:34:35 UTC 2012
On 11/05/2012 05:04 PM, Engle, Perry wrote:
> Hello – It’s been happening for a while, but it’s really (really) time
> to end storing clear text passwords in the database. It’s **LONG** past
> time to send them in email to your users.
>
>
>
> If you’d like proof, go to
>
>
>
> http://plaintextoffenders.com/submit
>
> And
>
> http://krebsonsecurity.com/2012/06/naming-and-shaming-the-plaintext-offenders/
>
>
>
> Of all places, Fedora and Red Hat should be leading this charge.
Hi Perry.
Thanks for your email. We are currently working on an initiative called
"Hyperkitty", which is a rewrite of the Mailman3 Archiver code. Part of
this initiative (a very small part) includes the removal of plain-text
passwords.
For more information about this project, please see:
http://aurelien.bompard.org/post/2012/10/17/Progress-on-HyperKitty
Additionally, back in March, we disabled user password settings as much
as possible in the existing Mailman 2 environments:
http://smoogespace.blogspot.com/2012/04/mailman-passwords-how-fedora-it-is.html
While mailman still sends a clear-text password back to the user upon
request, it is a throw-away password.
If there are other areas where you believe we are handling passwords
insecurely, please point them out to us.
Thanks again,
Tom Callaway
Fedora Engineering Manager
==
Fedora Project
More information about the websites
mailing list