On 13 November 2015 at 05:16, James Alexander jalexander@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
Hold on. As a list administrator for 3 lists, I received emails to change the listadmin password for all three, and have done so and shared the new password with the rest of the list admins.
However, as a list subscriber, I have yet to receive an email telling me that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users.
- Do subscribers have to change their password for each WMF-based mailman mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.) - If not, what happens to those subscriptions? are they discontinued if the user does not update his or her password, or do they just continue?
I think that there are a lot of valid points being made about the inherent problem of having listadmin passwords that are not user-specific. At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
Risker/Anne