E-mailing passwords

As a grad student in the School of Engineering at UCSC, I’m a member of a few mailing lists. Every month I receive an automated e-mail with links to manage mailing list options and my passwords for the mailing lists. (Incidentally, this is powered by the GNU Mailman software.)

First of all, why on earth are they storing my password in cleartext instead of a hash? The only possible reason (other than blind ignorance) is this e-mail-my-password gig.

Secondly, why are they e-mailing me my password monthly? In case I forgot it? That’s what “Forgot my password” is for. It’s been known for quite a long time that e-mail is not secure. The only passwords that should be e-mailed are temporary ones used to validate the e-mail address.

There’s no excuse for lax security like this. I don’t know what their thinking is, but if it’s “It’s only a mailing list; it doesn’t need strong security” then that’s not good enough. Attacks can come from unexpected angles, and redesigning this system to be secure would be simple. Besides, many users use the same password for several systems, which in this case means that their password for other systems is being stored in cleartext and sent in cleartext. (Thankfully, I’m not using a common password with this system.)

Shame on you, School of Engineering, and shame on you, GNU Mailman developers. You both should know better.

Post a Comment

Your email is never shared. Required fields are marked *