Educause Security Discussion mailing list archives

Re: Back on topic.... Re: [SECURITY] University credentials used by third parties

From: Mike Porter <mike () UDEL EDU>
Date: Wed, 25 Aug 2010 11:55:21 -0400

On Wed, 25 Aug 2010, Jesse Thompson wrote:

On 08/24/2010 11:08 AM, Joel Rosenblatt wrote:
Just to thorough another thought into this mix, does anyone prevent
their students (or other users) from turning over their credentials to
Gmail or Blackberry?

We see lots of authenticated logins from these services - and if I were
to come down hard on this Ultrinsic using our sharing of password policy
(which we do have) I'm sure that this would amount to having to change
our policy to - you can't share your credentials - except with (gmail,
Blackberry, etc.)

I really hate inconsistent enforcement of policies, so it's either
change the policy or cut off everyone.
+1
Our help desk created end-user instructions for IMAP-syncing email accountswith Gmail, despite the fact that it completely violates password policy.They did this specifically because they get flooded with "how do I save myemail" requests when we deactivate email accounts, but other users takeadvantage of it as well.
Yet, when we propose the idea of officially embracing this Gmail-IMAP-syncoption as a more reliable alternative to forwarding - essentially treatingGmail the same as any other IMAP client - the idea is immediately shot downbecause it violates password policy.


What was the violation?  The problem that users woud need to store
a password, likely the regular one, at gmail in order to use imap?

We ended up with a convoluted system to avoid some of those issues.


Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware


Jesse
(an email admin at Wisconsin)


-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2

Current thread:

Re: Password Expatriation notification, (continued)
- - - Re: Password Expatriation notification James Farr '05 (Aug 19)
    - Re: Password Expatriation notification Russell Fulton (Aug 20)
    - Re: Password Expatriation notification Dergenski, Todd A. (Aug 23)
    - Re: Password Expatriation notification Ozzie Paez (Aug 23)
    - Back on topic.... Re: [SECURITY] University credentials used by third parties Flynn, Gary - flynngn (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Joel Rosenblatt (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Guy Pace (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties David L. Wasley (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Adam Carlson (Aug 25)
    - Experience with EPO and endpoint encryption David Grisham (Aug 25)
    - Re: Experience with EPO and endpoint encryption Gibson, Nathan J. (HSC) (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Darren Fallis (Aug 24)
- Re: University credentials used by third parties Guy Pace (Aug 17)

(Thread continues...)