On Sunday 02 March 2008, Alessandro Vesely wrote: > Dave Crocker wrote: > > A member of a mailing list I run complained about getting his > > mailing list password, in the clear, every month. Apparently this > > is the default for mailman and I hadn't ever thought about it. > > That enforces the requirement that the owner of an email address, the > "data subject" in European privacy directives parlance, must be able > to amend or delete the relevant entry of the list. The user can request the password to be sent to him. So it is not necessary to send unsolicited password reminders. OTOH, in order to request a password reminder the user must know which email address he used to subscribe to the mailing list. (Yes, I know that the subscribers of this particular mailing list can determine this address from the message header. Subscribers to other mailing lists often lack the necessary knowledge.) So in the end sending unsolicited password reminders saves the mailing list administrator from getting too many cries for help from the subscribers. > > Certainly the sending a password in the clear sounds like a > > terrible idea and one might expect it to be enough to mandate > > turning the default off. > > The user should have been warned to choose a weak password. Since mailman automatically chooses a weak, but secure enough password the user probably should not be asked for a password at all. This would prevent the user from re-using an important password. > > So I thought I'd ask you all for opinions... > > IMHO, it is annoying but practical, thus I'd vote yes. Ditto. Regards, Ingo
Attachment:
signature.asc
Description: This is a digitally signed message part.