Educause Security Discussion mailing list archives
student password requirements for third party sites
From: David Pirolo <webmaster () WARNERPACIFIC EDU>
Date: Thu, 5 Jul 2012 16:04:19 -0700
We are looking at adopting a 3rd party website to host our student billboard service (housing, lost/found, etc). To limit who can post, this site requires an institutional email address as the username. It also requires a password. I was thinking about this and wondering what risk these sorts of services pose to an institution as, most likely, the user will use the same password as the one they use to log into our systems. Since this is hosted offsite, one would just need to hack this site to get access to student accounts. I was having a conversation with the owner of this service and suggested it might be better to include a proxy service similar to ezproxy. I'm curious to know how other institutions have handled this? Do you ignore it and put up a disclaimer, would you push to host this internally?? Ideally it would tie into some sort of SSO or Federated system like Shibboleth. Thoughts? David Pirolo Warner Pacific College
Current thread:
- student password requirements for third party sites David Pirolo (Jul 05)
- Re: student password requirements for third party sites Steven Alexander (Jul 10)