Mailman monthly password reminders: not recommended

One of the features of our service is the industrial-strength Mailman mailing list manager. Mailman is a very good program in some ways (it’s built like a tank and reliably handles very large volumes of list mail, and it removes much of the drudgery of managing large lists), but it has a couple of undesirable “features”.

The most obvious is that the interface is terribly ugly (the Mailman developers are working on a big improvement to this, thankfully; just so it’s clear, we didn’t create the program, and we’re as horrified by the circa-1996 appearance as everyone else). Another problem with the program, though, is the option for “monthly password reminders”. This is a design flaw that’s being removed from Mailman, and although most of the lists on our servers don’t use password reminders, customers who do should probably turn them off now in preparation for that change.

So what’s the issue? The main problem is that Mailman sends people’s personal passwords over the Internet via plain text e-mail, which is about as secure as sending them around the world on a postcard. One of the most basic password security rules for users is “memorize a password instead of writing it down anywhere”, and Mailman completely breaks that rule. And one of the most basic rules for secure software designers is “store passwords only in encrypted form so that even the program author and system administrator can’t tell what they originally were, so that if hackers break into the system they can’t tell either”. Mailman breaks this rule, too — it has to, in order to be able to send the monthly password reminders. The authors of Mailman attempted to solve this problem by adding a note to the subscription page saying “do not use a valuable password”, but that goes against human nature; some people will inevitably enter the same password they use for online banking, etc.

There’s another problem with password reminders, too, which is that if you have more than one Mailman list, the password reminders are sent from the e-mail address of a seemingly random one of those lists, even if the recipient isn’t subscribed to that particular list. Not a security problem, but certainly annoying.

Anyway, bottom line: monthly password reminders are a bad idea and don’t work properly anyway. The good news is that the Mailman developers have completely removed password reminders and plaintext passwords from the next version of Mailman, which we’ll be using when it becomes available. If your list uses monthly password reminders, they’re going to go away, hopefully soon. (In fact, we consider the password reminders such a source of problems that if the new version of Mailman is substantially delayed, we may end up preemptively disabling them for all lists on our servers.)

This actually won’t affect most of our customers, because the Mailman setup wizard in our control panel hasn’t turned on the password reminders option for new lists for a long time now. However, a few older lists had it enabled by default, and it’s still possible for customers to manually enable it by clicking one of the obscure options in the Mailman administrative interface.

If your list uses password reminders, we recommend turning them off now:

1. Login to the administration page for your list
2. Scroll down to the “Send monthly password reminders?” setting and change it to “No”
3. Scroll to the bottom of the page and click “Submit Your Changes”.

Doing this makes the list more secure for your subscribers, and also makes sure you’re not surprised when password reminders stop by themselves.

If you have trouble disabling the reminders, just contact us and we’ll be glad to do it for you.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a comment on the bottom of this page.