On 8/20/2004 7:42 AM, [log in to unmask] wrote: >>----- begin log extract (wrapped) ----- >>19 Aug 2004 23:52:12 From [ANONYMOUS]@LISTSERV.ND.EDU: >> X-LOGIN [log in to unmask] 12.218.67.84 PW=***** >>----- end ----- >> > Does anyone know why the password is listed as clear text? That just begs > for the PW to be compromised. I agree that passwords should not appear in the log files, however, they also appear in plain-text in the signup.* files in the listserv/home directory, and on most systems, neither the log files nor the signup.* files should be accessible by general users. There is always the risk that an unscrupulous sysadmin might try to use someone's LISTSERV password to gain access to other accounts owned by the same individual. (Research indicates that most people use the same password for everything.) However, it seems to me there is a greater danger that passwords being sent in clear text across the open Internet will be compromised by anyone with access to network traffic. L-Soft needs to make it easier to enable HTTPS for the LISTSERV web interface. The last time I checked, you needed to chase down and change several hard-coded instances of "http:" in the web templates. These could be changed to use a variable controlled by the setting of a keyword statement in the go.user file. -- Paul Russell Senior Systems Administrator OIT Messaging Services Team University of Notre Dame