Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Rick,
Might be a bit late/early for calling now 8-O But maybe I didn't miss the mark by *too* much ;-)
No worries!
Rick, if you wish, you could alternatively drop the password in this file: $ hostname; ls -ld ~/.auth.info linuxmafia.com -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info $
Done! Good idea.
IMO, Mailman listadmin passwords are a medium-security scenario -- on the low side of medium. Because by default a stolen listadmin password can do some mischief but not a lot of harm and such harm can be easily fixed and the person in question locked out again.
By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no' in mm_cfg.py. Unless that has been locally changed to 'yes' by the local site administrator, listadmins cannot summarily delete mailing lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command line.
Short of that deed, there's only minor annoyances that an intruder with the listadmin password is likely to do -- and those are relatively easy to notice and un-do.
Therefore, IMO, extreme caution about the listadmin password and mind-numbingly complex choice of password is not justified by the downside risk of someone guessing or dictionary-attacking the WebUI credential. (Honestly, nobody dictionary-attacks that, because it's not worth the trouble and immense amounts of time required.
And my first order of business with that will be to get fresh copies of the roster lists!
Tools to script this from the Web side: https://wiki.list.org/DOC/How%20do%20I%20extract%20%28export%29%20a%20list%2...
And thanks too to Michael Hubbard for getting the password reset and carrying BALUG on his DreamHost.com account.
Any chance Michael should be the third possessor of the listadmin password? It's a small thing, but I think two possessors is a little thin in much the same way that two authoritative nameservers for a domain is a little SPoF-leaning.