Educause Security Discussion mailing list archives

Re: Password security

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 31 Jan 2012 23:27:16 +0000

I don't think it's over the top; it's basic.  The passwords should be hashed using a strong password hashing scheme 
that uses salts and key stretching (not plain MD5).

As you point out, if the passwords are in plain text, the admissions folks and possibly others can see their passwords. 
 An attacker who compromises the system may also be able see them.  The threat is primarily to the students, not the 
institution.  People reuse passwords.  An user with access to those passwords (authorized or not) can use them along 
with the students' other information to compromise accounts the students have on other systems: Facebook, email, 
banking, etc.  If the password is used for access to other college systems, then having a student's password would also 
allow someone to potentially access information not in the original application (grades, student email, financial aid). 
 Plaintext passwords are bad.

There should also be a mechanism in place for restricting who can see certain information such as social security 
numbers.

Best regards,

Steven Alexander Jr.
Online Education Systems Manager
Merced College
3600 M Street
Merced, CA 95348-2898
(209) 384-6191
alexander.s () mccd edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Palmer, 
Kevin
Sent: Tuesday, January 31, 2012 3:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password security

Colleagues,
  I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses 
to this issue.

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users 
(leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves 
and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have 
recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who 
work on the system.

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education 
is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question 
whether or not this is a "best practice".  I think it is simply being prudent, and that there is no reason for anyone 
to know another persons' authentication credentials.  What are your thoughts?  Is this over-the-top security?

Best regards,
Kev

Kevin Palmer
Chief Information Officer
Columbia College
1001 Rogers Street
Launer 9
Columbia, MO 65216
(573)875-7329
kpalmer () ccis edu<mailto:kpalmer () ccis edu>
www.ccis.edu<http://www.ccis.edu/>
[Description: Description: Description: Description: Description: Description: Description: Description: 
CC_logo_4c_colorbuild_lg]


This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.

Current thread:

Password security Palmer, Kevin (Jan 31)
- Re: Password security Steven Alexander (Jan 31)
  - Re: Password security Ryan D Hiebert (Jan 31)
- Re: Password security Basgen, Brian (Jan 31)
  - Re: Password security Mclaughlin, Kevin (mclaugkl) (Jan 31)
- Re: Password security Bob Bregant II (Jan 31)
- Re: Password security Valdis Kletnieks (Jan 31)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
  - Re: Password security Sarazen, Daniel (Feb 01)
    - Re: Password security Brian Helman (Feb 01)

(Thread continues...)