Looks like "Moderator" password is a non-issue[1].
"Admin" passwords were changed earlier, ... so we should be in
pretty good shape at this point.
footnotes/references/excerpts:
1. once upon a time the "Moderator" password was set. The one I had in
my notes was, I believe, passed to me the same time the "Admin" password had
been much earlier passed to me. I'm also fairly certain "way back then"
I verified that each password worked on each of the lists. Seems "Moderator"
password/functionality is disabled (as we desire it), as A) I checked, and
the old "Moderator" password no longer works, and B) the GUI admin stuff
quite effectively states that the "Moderator" role only works if both a
password is set for it, and an email is set for "Moderator" - and I
checked and all three lists have no email set for "Moderator" - so I believe
that effectively disables any "Moderator" capability or login - so I think
we're well covered there.
Quoting "Rick Moen" <rick(a)linuxmafia.com>:
> Quoting Michael Paoli (Michael.Paoli(a)cal.berkeley.edu):
>
>> Thanks - got it (from earlier encrypted contents you sent me) and verified
>> it authenticates.
>
>> Also, as you mentioned, "Moderator" password....
>
> I recommend against ever using this function, by the way. So, there's
> no point in setting its password. (I can detail the reason for that
> recommendation if anyone's interested. Long story. Short version is
> that it leads directly to mishaps that the person wielding that password
> cannot fix.)
>
>> It's quite possible many of the "misconfiguration" changes may have been
>> done - perhaps by someone who has "Moderator" password, and may not
>> even have "Admin" password.
>
> I don't think so, because I'm pretty sure nobody has set that password.
> However, the mishaps I allude to above involve someone accidentally
> checking a "autodiscard" or "ban" control on the admin queue page and
> submitting changes, then being unable to remove that address from the
> autodiscard or ban rosters upon realising his/her mistake, because those
> rosters are on an admin page to which moderators lack access.
>
> So, in theory, someone wielding a moderator password could have
> accidentally put Christian Einfeldt's address on the autodiscard list.
> All the other changes I discussed are possible only with a listadmin
> password.
>
>> If you don't want to be bothered with changing the "Moderator" password
>> (you already covered "Admin" - Thanks!) ... just say the word
>> and I'll take care of "Moderator" password.
>
> You're welcome to set it to something obscure and then forget what it
> is. That's probably the smartest thing to do with it. ;->