| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJjO9M=C9SbESFQjYv80+ZCQwuxaeB_W=YaVde2ZFLyE0pSUCw@mail.gmail.com> Date: Wed, 2 Apr 2014 11:38:12 -0700 From: Fyodor <fyodor@...p.org> To: Nick Lindridge <nick@...cube.com> Cc: Full Disclosure Mailing List <fulldisclosure@...lists.org> Subject: Re: [FD] Security flaw in Full Disclosure mailing list On Wed, Apr 2, 2014 at 6:43 AM, Nick Lindridge <nick@...cube.com> wrote: > > > Apologies if this has been pointed out before, hard to imagine that it > hasn't really. When signing up for the list, I was surprised that it > emailed back my password in plain text. > Hi Nick. Yeah, Mailman does that sort of thing. But to their credit, on the list description/signup page at ( http://nmap.org/mailman/listinfo/fulldisclosure), the text above the password box says: "You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext." They should probably just call it a confirmation token or something instead of password, as the point is just to prove you're the one getting email at the given address so you can edit your list subscription preferences. I never enter a token and let Mailman choose one for me. Cheers, Fyodor _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists