On Sunday 02 March 2008, Alessandro Vesely wrote:
Dave Crocker wrote:
A member of a mailing list I run complained about getting his
mailing list password, in the clear, every month. Apparently this
is the default for mailman and I hadn't ever thought about it.
That enforces the requirement that the owner of an email address, the
"data subject" in European privacy directives parlance, must be able
to amend or delete the relevant entry of the list.
The user can request the password to be sent to him. So it is not
necessary to send unsolicited password reminders. OTOH, in order to
request a password reminder the user must know which email address he
used to subscribe to the mailing list. (Yes, I know that the
subscribers of this particular mailing list can determine this address
from the message header. Subscribers to other mailing lists often lack
the necessary knowledge.) So in the end sending unsolicited password
reminders saves the mailing list administrator from getting too many
cries for help from the subscribers.
Certainly the sending a password in the clear sounds like a
terrible idea and one might expect it to be enough to mandate
turning the default off.
The user should have been warned to choose a weak password.
Since mailman automatically chooses a weak, but secure enough password
the user probably should not be asked for a password at all. This would
prevent the user from re-using an important password.
So I thought I'd ask you all for opinions...
IMHO, it is annoying but practical, thus I'd vote yes.
Description: This is a digitally signed message part.