Educause Security Discussion mailing list archives
Re: Multiple of Single User Accounts
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 22 Oct 2009 16:49:10 -0500
Flynn, Gerald wrote:
-----Original Message----- Another issue that is rarely mentioned in this debate is the need to protect some credentials more than others. A situation has recently come to light here where a privileged user here exposed their credentials to key infrastructure while accessing student systems. The exposure was obscure (and certainly unintentional) but exists none the less. Keeping accounts separate helps mitigate that accidental exposure of credentials.Speaking of account credentials, sync outsourced student email passwords with campus passwords or not? I vote no. Too many external account/password integration and syncing and phishing threats. Federation, when it becomes available, is a better and acceptable solution. But until then...no automated password syncing.
We're planning to deploy Google Docs and Sites (not Mail.) I don't see the day that we would ever hand our users' passwords over to a 3rd party. And, letting users pick a Google-only password would lead to confusion, or the users will just use their normal campus password. When I developed our shared Subversion repository, I followed the Google Code model of creating token passwords. Subversion clients will store passwords, and we didn't want users' main NetID password to be laying around in everyones' home directories. We also didn't want to allow users to choose their own passwords, since they would either use their NetID password, or they would forget it and be bugging me for password resets. So, the solution is to let users login to a web site to obtain a randomly generated token password that is to be used for only Subversion access. The users can reset their tokens, but they can't set it to arbitrary values. This system has worked extremely well for Subversion. So, it seems like a natural solution for Google Apps. Although, we are still in a planning phase, so who knows how it will work out in the end. I don't even know if Docs or Sites even offer non-SASL access points for individual users. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Multiple of Single User Accounts, (continued)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 21)
- Re: Multiple of Single User Accounts Mark Borrie (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Michael Fertig (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 22)
- Re: Multiple of Single User Accounts Basgen, Brian (Oct 22)
- Re: Multiple of Single User Accounts Jesse Thompson (Oct 22)