October 01, 2004

First Day Of The Month: Least Secure?

I've come to dread the first day of any month. Why? Because it's the day my email inbox is full of emails that begin like this:

This is a reminder, sent out once a month, about your XYZ mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list.

The XYZ is the name of the mailing list. The part that freaks me out is that the way these emails always end:

Passwords for username@whatever-domain.com:

List                Password // URL
----                --------
emailaddr-for-list@whatever.com      thePasswordInPlainView     http://the.domain.for.the.mailing.list

As Homer Simpson would say, D'oh!

Whywhywhywhy do so many mailing list programs email you your password like this!? Every month, faithfully executed by the mailing list server program. Why, if I wanted to get a lot of passwords, I'd simply sniff packets for email on the first day of each month. Prolly wind up with millions of 'em.

This has got to be the most bone-headed "feature" of mailing lists. Every month I am surprised that tech-savvy companies, like for instance Technorati, use mailing list software that spews out passwords. Bad bad bad.

Posted by brian at October 1, 2004 06:20 AM


word. i always wondered about that too!

Posted by: a reader at October 1, 2004 10:11 AM

No, only ONE software does this: GNU Mailman. It is brain dead in a multitude of ways. And it is completely stupid to have these passwords at all. Most mailing list software doesn't use passwords, since it is clearly the wrong solution. Being able to receive mail at the address is enough authentication.

Posted by: Jonas at October 15, 2004 07:10 AM

brianstorms is Brian Dear's weblog. Non-spam email:

Be sure to take a look at these other fine websites:

Copyright 2002-2003 Birdrock Ventures. brianstorms is a trademark of Birdrock Ventures.