On 6 November 2012 08:34, Kévin Raymond <shaiton(a)fedoraproject.org> wrote:
Le lundi 05 nov. 2012 à 22:04:07 (+0000), Engle, Perry a écrit :
> Hello - It's been happening for a while, but it's really (really) time to end
storing clear text passwords in the database. It's *LONG* past time to send them in
email to your users.
>
> If you'd like proof, go to
>
>
http://plaintextoffenders.com/submit
> And
>
http://krebsonsecurity.com/2012/06/naming-and-shaming-the-plaintext-offen...
>
> Of all places, Fedora and Red Hat should be leading this charge.
Hi,
I suppose you refer to the Mailman monthly reminder?
I agree, we can ask all the mailing lists admin to disable this "feature".
Originally the passwords were set up in the default way but this
spring I changed many of the users passwords to the randomly chosen
method (16 character random string). I removed all ways for the user
to change the password so the only way for them to know what the
password is via a reminder.
I looked at that time on either hashing the passwords in mailman or
some other method, and it was non-trivial. I am waiting for the
hyperkitty implementation for a real fix.
--
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd