[aur-general] Password sent every month ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi there ! Just new here. And I've been informed that "Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month". Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system. And by the way, hello there, fellow arch users and devs ;) - -- Félix Piédallu Président du Club Robotronik Phelma 06 51 41 32 48 Manjaro Linux. Feel the freedom. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVfGubAAoJEMJ1NtNxTzOfpKAP/RQqFT5XentDJooLJ3FghKaO 15p0ij0MPx68DrLnfiUHqCqUR2yZ1r5Xt0EUel4giwGZQfd7wKnTlLp7jfc6TCp8 eQlFGZucLzCqu383aCJBjxnwJPz51O+ZDPuhxddhrYQ1hz4jV89h6TpVaqLWuGhd OZtT9uIx7es5iClmx7FG6fh1Kn4Rqzx5Nj2jshCzNaVqBcXrZK4c6NJZIpJQx05f kw4uuFA8pgYU8mCsG2aohrd1fpVJgjHpzLESgZo7d2xvAi3ERzYRUnU0UaPcI31F bHwjNIvG7glpLL4eB+GEZEouK0Ug4fJ/0Jd5e0heyxfD34a5FqhB41d8xQg6i5CC Cj+W/JrT0WqDigsN54wKd9xWmZUg929quL7TXkj3oZyQMb6bYEDdJA05i38MUmnk II424mJHm1ShPTNyCQRqjXqYdZDE+d4mg39Oi3m9AWWFY0DIRNa1HdBrLnjNJROG jMsZ6LXrVMbJHYfvI621S3RuS4TXwbh6foNfSplY3V6WAyfxsdNoRIRMviWQ+QEQ 9Z0ALDNfm/sZ+Vgah+HDwfdRuO7+WVD7nBsi4hJh2/z9UnorNCtuJ2qYiFxr5hnN IzrxIrRfDwWAFzFDztAQ263andFAefa0EewOTzhk68Fqu7xXRx68uvzrltUWmQfx l4QQpZGFfznSkMdOOCtP =tDPy -----END PGP SIGNATURE-----
Hi there ! Just new here. And I've been informed that "Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month". Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system.
And by the way, hello there, fellow arch users and devs ;)
hi and welcome aboard arch! concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password). i hope you see that this is not an security issue, but perhaps you want to change you maiman-password.
On 13 Jun 2015 6:52 pm, "G. Schlisio" <g.schlisio@dukun.de> wrote:
Hi there ! Just new here. And I've been informed that "Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month". Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system.
And by the way, hello there, fellow arch users and devs ;)
hi and welcome aboard arch!
concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password).
i hope you see that this is not an security issue, but perhaps you want to change you maiman-password.
I have to second this. Use a password manager and generate different passwords for everything and you don't have to sweat it if a password gets leaked (especially something non essential like this).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Okay :) I agree with you, but i got a "common pwd" that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a "pirate" that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail. Anyway, thanks for the (very quick) answers :) Félix Piédallu Président du Club Robotronik Phelma 06 51 41 32 48 Manjaro Linux. Feel the freedom. On 13/06/2015 20:00, Ben Oliver wrote:
On 13 Jun 2015 6:52 pm, "G. Schlisio" <g.schlisio@dukun.de> wrote:
Hi there ! Just new here. And I've been informed that "Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month". Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system.
And by the way, hello there, fellow arch users and devs ;)
hi and welcome aboard arch!
concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password).
i hope you see that this is not an security issue, but perhaps you want to change you maiman-password.
I have to second this. Use a password manager and generate different passwords for everything and you don't have to sweat it if a password gets leaked (especially something non essential like this).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVfHpBAAoJEMJ1NtNxTzOfoRcQAK/tO2E/fwE4AsXufLC953Gp FbUxPa9sLU+54wwiPdVpjI4PjGOm71sx4o4bUlvcWptVP2OJV9H7HTQRZb/3P3o0 mz6/GvY/t9M7/5D5LZAfzxP0CSvXoBYkrQETBdaNDPiUuAxYjiraw46qdYJbzXt3 P/ri/TTJ4WE9YEEwh9fpdg7kHB6EJvdDG33GGhRYQIb6MmkmP+rpOR9bUI2vl+EP DJTf8IvhFUEsvmTgz1ct74yL/ZT2XvWprXI2AvNjgnH6/jmTxREeeh/HPYGFUWj6 j3+SWjTKzTIq7VUn63tC1whel30jJDyBw9IoECN6QQ6ztdzKJY2zRp0prpHsOe0u yj5QkDRxe79yMuVQTNjuFryTrUA3EnpNbRED23qi+fkBz5GM0s992pnupV0z5qLr 8HlXywvItL2XPZkTecmOoK5S1yY8xu1pd0vc9od1nqJ3u6g8u8a+kEj7DzVnn6py y4haTcn7lK+FadpRoTnJLZNCHK7BH4s+DDQ/JgV1alunaKaBuDXIdKP8clvZKeUK LzAOd2IOY2xsI28n/eemXedPFgKpqSd5fj3bH5Y5bplDQ9jOQMHURO93xvF7fcsT NXaww4FJKKyIslukNY0DIUYrUIrnFpC+2N8YHNMdiv801o6cXKq9uLk9E2JRg4Ed heWYbkbp2UOAV6X8WaMh =Ekqk -----END PGP SIGNATURE-----
I agree with you, but i got a "common pwd" that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a "pirate" that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail.
Anyway, thanks for the (very quick) answers :)
please post your answers below the mail, you are answering to. this so-called bottom-post-policy is preferred on all arch mailinglists (i am aware of). and, as i said, you can opt-out of that resend - wich i am sure a lot of people do. happy arching!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 13/06/2015 20:48, G. Schlisio wrote:
I agree with you, but i got a "common pwd" that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a "pirate" that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail.
Anyway, thanks for the (very quick) answers :)
please post your answers below the mail, you are answering to. this so-called bottom-post-policy is preferred on all arch mailinglists (i am aware of). and, as i said, you can opt-out of that resend - wich i am sure a lot of people do.
happy arching!
Oh yeah, of course. that was just a fail with my web client ^^'' Thanks :) - -- Félix Piédallu Président du Club Robotronik Phelma 06 51 41 32 48 Manjaro Linux. Feel the freedom. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVfHxaAAoJEMJ1NtNxTzOfu3EQAMS5h5i4XE5n36fA0vuyLtGt 8FBEStzczX24keXb4mUO/Hs2HaxpDC4AhxofvutyN2t8fyhbFp6xJcKwdoFR7bxU 3ootbCEie3pUm5NiGPQH+doeW994YrJrS7FWm8z1z3ArAYbZ7OA+Q4664eWi20Zb nJpBMnjJm6vUXT4gzWktQkYKoilirUine+tWOHADzlU335ef4QDlg5GPt2irvbYz UEVo8V4D5AlAPsq5OtiiYAUh0TUkgMLWYChUe8EWXtEgCRbtxLMaKnQiU/bKAeP6 jc5cGjzAY7gohImUgR6FZhRn5NmECnfz3DpK9uHl2aFZvDjXPB2RakOBSMw6e7V1 pkGURwEk2y0RwIqEXK02M5TyjoGfr2AM9bpnM0oeEVOdrFfc6rIEAK0f3KzSdQaY AVPLa0KOS2brf2Bkh+qJc9vr/rZ65VAcoG1Fez1wYJCnpDgRxZqdUXQ1XHyMoVDQ 2w7WLtXI/m2FSZdYlrF0ST7Sy9w+1nI7+mA+vNiKN2BZ78h/I/r5FLmvhUExvWjv l6oOJDlT5jZycuChGmNuzZZ7TRsjrJN/WrY+eBxLC54N5gNFWv7oZvL/c49d9XG8 iOPWGa34tUUfCEs18NY26a4Gtbm9LDyPAnCDRWslEMtmJ8NfYvEJrxseYPdn+tkV W1Ey60nZO/TkN9p24u4g =jyfC -----END PGP SIGNATURE-----
+9999 to using a password manager. If you use a password manager (I use Lastpass) then you can keep a different password for everything you do, which is a much better solution and incidentally helps you not forget your passwords. ;) -- Eli Schwartz
* Félix Piédallu <felix@piedallu.me> [2015-06-13 19:42:55 +0200]:
Hi there ! Just new here. And I've been informed that "Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month". Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system.
Yes, Mailman stores password in plain-text in the current version. I think this was changed in Mailman 3, but that's rather new and radically different. But it's really something common. The sign up page even says this (in bold!): Do not use a valuable password as it will occasionally be emailed back to you in cleartext. As others pointed out already, using different passwords is a really good idea anyways. Many more pages store passwords in plaintext (they are just less honest about it) unfortunately. Florian -- http://www.the-compiler.org | me@the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/
participants (5)
-
Ben Oliver
-
Eli Schwartz
-
Florian Bruhin
-
Félix Piédallu
-
G. Schlisio