[CentOS] Passwords in plain text

Fri Jun 15 22:44:47 UTC 2018
Johnny Hughes <johnny at centos.org>

WRT mailing the password in clear text .. how else would it mail it?

Mailman does not store any kind of encryption keys for email, and
frankly, most people don't know how to use encrypted email.  This list
probably has a (much) higher percentage of people who would know how to
use encrypted mail (ie, Linux users .. who are more computer literate
than the average person).  But, I don't think mailman has sending
administrative mails to users encrypted as an option.

WRT this issue .. several hundred gmail accounts (and few other
accounts) were disabled at a specific time today.  We don't yet know
exactly why this happened and before we mass reenable the accounts, we
need to make sure it is not going to happen again.

Since so many of the mails are gmail.com  accounts, this has to be
something that gmail did today at 1530 GMT (when all the accounts were
disabled) and the mails were sent).

We will try to figure out exactly what happened and get everything back
to normal as soon as we can.

Thanks,
Johnny Hughes

On 06/15/2018 02:32 PM, rebecca coleman wrote:
> Ah I see.  That said, this email wasn't a password reminder.  It was a
> "your membership has been disabled" email.
> 
> On Fri, Jun 15, 2018 at 2:36 PM, Keith Keller <
> kkeller at wombat.san-francisco.ca.us> wrote:
> 
>> On 2018-06-15, rj coleman <rjcdevelop at gmail.com> wrote:
>>> Am I the only one who just received this email from this group?  Which
>> came with my password in the email in plain text?
>>
>> This is a standard feature of GNU Mailman.  You can disable the monthly
>> password reminder in your user preferences (which is the same place you
>> can change your password, if you are concerned that it was sniffed
>> during the SMTP exchange).
>>
>> The Mailman signup page warns you that the password will be emailed:
>>
>> "You may enter a privacy password below. This provides only mild
>> security, but should prevent others from messing with your subscription.
>> Do not use a valuable password as it will occasionally be emailed back
>> to you in cleartext."
>>
>> --keith

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20180615/9440a389/attachment-0004.sig>