[Cryptography] Why is emailing me my password?

[Markus Wanner]

On 10/01/2013 11:36 PM, R. Hirschfeld wrote:
> Your objections are understandable but aren't really an issue with
> mailman because if you don't enter a password then mailman will choose
> one for you (which I always let it do) and there's no need to remember
> it because if you ever need it (a rare occasion!) and don't happen to
> have a monthly password reminder to hand, clicking the link at the
> bottom of each list message will take you to a page where you can have
> it mailed to you.

Mailman choosing a random password for you is certainly better, yes. And
closer to the email based OTP solution. It's still a permanent password,
though. By definition, a single interception suffices for an attacker to
be able to (ab)use it until you modify it. As opposed to the mail based
OTP scheme. And the monthly reminder essentially makes an interception
even more likely.

Granted, the worst an attacker can do with an intercepted password
(permanent or OTP) is just a tad annoying - given it's not used elsewhere.

> The real danger is that those who don't read the instructions might
> enter a password that they use elsewhere and want to keep secure.

Agreed. It's opposed to good practice and common sense of password handling.

Regards

Markus Wanner