ietf-822
[Top] [All Lists]

Re: monthly password reminders -- default to yes vs. no?

2008-03-02 04:38:32
On Sunday 02 March 2008, Alessandro Vesely wrote:
Dave Crocker wrote:
A member of a mailing list I run complained about getting his
mailing list password, in the clear, every month.  Apparently this
is the default for mailman and I hadn't ever thought about it.

That enforces the requirement that the owner of an email address, the
"data subject" in European privacy directives parlance, must be able
to amend or delete the relevant entry of the list.

The user can request the password to be sent to him. So it is not 
necessary to send unsolicited password reminders. OTOH, in order to 
request a password reminder the user must know which email address he 
used to subscribe to the mailing list. (Yes, I know that the 
subscribers of this particular mailing list can determine this address 
from the message header. Subscribers to other mailing lists often lack 
the necessary knowledge.) So in the end sending unsolicited password 
reminders saves the mailing list administrator from getting too many 
cries for help from the subscribers.


Certainly the sending a password in the clear sounds like a
terrible idea and one might expect it to be enough to mandate
turning the default off.

The user should have been warned to choose a weak password.

Since mailman automatically chooses a weak, but secure enough password 
the user probably should not be asked for a password at all. This would 
prevent the user from re-using an important password.


So I thought I'd ask you all for opinions...

IMHO, it is annoying but practical, thus I'd vote yes.

Ditto.


Regards,
Ingo

Attachment: signature.asc
Description: This is a digitally signed message part.