[Owasp-leaders] Once again people are tweeting about mailman sending back clear text passwords

Rogan Dawes rogan at dawes.za.net
Wed Feb 1 12:06:14 UTC 2012 

On 2012/02/01 1:38 PM, Erlend Oftedal wrote:
> If we could set it globally that would be great, but it still does not
> solve the underlying issue. Mailman is storing passwords in a
> recoverable format (maybe even cleartext), which is a bad thing imho.
>
> Erlend

Perhaps this is the incentive we need to migrate to something better 
than mailman.

2 seconds googling gave me this:

http://nzoss.org.nz/content/open-source-alternative-to-mailman-and-google-groups-released

which claims to be a mashup of a forum and a mailing list. That could be 
a nice feature, since people have been asking for a forums interface as 
well as/instead of the mailing list. This could be the best of both worlds.

Anyone got time to take a look at it from a security perspective?

Rogan
P.S. Agreed that the first thing to do is disable the monthly password 
reminder being sent out.

>
> ------------------------------------------------------------------------
> *Fra:* owasp-leaders-bounces at lists.owasp.org
> [owasp-leaders-bounces at lists.owasp.org] på vegne av Benny Ketelslegers
> [benny.ketelslegers at owasp.org]
> *Sendt:* 1. februar 2012 12:24
> *To:* Owasp-Leaders
> *Emne:* Re: [Owasp-leaders] Once again people are tweeting about mailman
> sending back clear text passwords
>
>
> If you go to the administration interface of Mailman, there is an option
> "Send monthly password reminders?" Simply select "no". Am I overlooking
> something obvious or is this what you want?
>
> It's a per list setting, I'm not sure if you can set it globally. Maybe.
>
> Best Regards,
> Benny
> Japan chapter
>
> On Wed, Feb 1, 2012 at 5:59 PM, John Wilander <john.wilander at owasp.org
> <mailto:john.wilander at owasp.org>> wrote:
>
>     I've had two chapter members leaving us because of this. Sending out
>     members' passwords in plaintext is nothing less than scandalous for
>     an appsec community. Agree?
>
>     If I can help out or if there's some setting I've missed, please let
>     me know. And if there's a setting for "Don't send plaintext
>     passwords" it should be on by default.
>
>     Regards, John
>
>
>     2012/2/1 Erlend Oftedal <Erlend.Oftedal at bekk.no
>     <mailto:Erlend.Oftedal at bekk.no>>
>
>         This is creating some bad publicity for OWASP.
>
>         We should fix this. See
>         http://twitter.com/dietervds/statuses/164629488351711232
>
>         OWASP will be put on plaintextoffender.com
>         <http://plaintextoffender.com>
>
>         Best regards,
>
>         Erlend Oftedal
>
>         OWASP Norway chapter
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     --
>     John Wilander, https://twitter.com/johnwilander
>     Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>     Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>     My music http://www.johnwilander.com & my résumé http://johnwilander.se
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list