Subject: Developers of Sympa
List archive
- From: "Nicolas Brouard" <address@concealed>
- To: <address@concealed>
- Subject: RE: [sympa-dev] Encrypted password
- Date: Thu, 1 Feb 2001 17:23:57 +0100
Hi,
I apologize for my first mail, which was in French. The English
documentation that came with sympa looked so French...
My concern is to avoid non encrypted passwords, not for "security reasons"
as said in your "To do list":
"Password are currently NOT crypted in the database. Considering that most
people use a single password for almost any usage, this is a security
problem. It could be crypted with a reversible algorithm, thus allowing
password reminding. "
but because I don't trust the local list manager. I have managed many
mailing lists and I don't want to be able to read passwords from
subscribers. It is unethical. I am not afraid by hackers, sorry.
Therefore the solution is probably as I explained in my previous French
message to send a message to the subscriber who asks for a forgotten
password. Usually he will ask by clicking on a link from the mailing list
web site. This link again will (1) ask for the personal email address and
(2) send a message to the email address of the subscribers.
This message will contain another link, to a quite long, unique, personal
and temporary cgi-bin which gives access to a temporary web page. This web
page outputs the name and email-address of the subscriber (who has forgotten
his password, ok) and asks him to enter and confirm a new password. The
password is then encrypted and stored in the database.
I have seen such (or similar) operational process among web mailing lists
for children where security concerns are more important than among adults
(paedophilia for example).
What do you think of that?
Nicolas Brouard
Insitut national d'études démographiques
Paris
mailto:address@concealed http://sauvy.ined.fr/brouard/english
-----Message d'origine-----
De : Olivier LACROIX [mailto:address@concealed]
Envoyé : jeudi 1 février 2001 12:05
À : address@concealed
Cc : address@concealed
Objet : Re: [sympa-dev] Mots de passe encrypt s
Dans son message, "Nicolas Brouard" ecrivait :
----------------------------------------------
*> Il doit y avoir d'autres solutions techniques mais je crois qu'il faut
*> bannir le stockage des mots de passe en clair dans les bases de données
Hello.
Please speak english in this list or use sympa-fr.
Your question is : why are the passwords not crypt in the database ?
It's in the TO DO notes (see http://listes.cru.fr/sympa/in-the-future.html
in
the security section).
--
Olivier LACROIX
C.I.R.I.L.
Cellule Réseau StanNet
Chateau du Montet | Tel : +33 3.83.44.74.29
Rue du Doyen Roubault | Fax : +33 3.83.44.02.62
F - 54500 VANDOEUVRE | email : address@concealed
-
Re: [sympa-dev] Mots de passe encrypt s,
Olivier LACROIX, 02/01/2001
-
RE: [sympa-dev] Encrypted password,
Nicolas Brouard, 02/01/2001
-
Re: [sympa-dev] Encrypted password,
Aumont, 02/02/2001
- RE: [sympa-dev] Encrypted password, Nicolas Brouard, 02/02/2001
-
Re: [sympa-dev] Encrypted password,
Aumont, 02/02/2001
-
RE: [sympa-dev] Encrypted password,
Nicolas Brouard, 02/01/2001
Archive powered by MHonArc 2.6.19+.