On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote:
On 13 November 2015 at 17:06, Risker <risker.wp@gmail.com (mailto:risker.wp@gmail.com)> wrote:
At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me prompting it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly, it’s embarrassing we still use this software.
Regards, James Hare