Re: Password security

[Ryan D Hiebert <ryan () RYANHIEBERT COM>]

Seconded. Plain text passwords are not acceptable.

Ryan Hiebert
Network Security Specialist
Pacific Union College

On Jan 31, 2012, at 3:27 PM, Steven Alexander wrote:

> I don’t think it’s over the top; it’s basic.  The passwords should be hashed using a strong password hashing scheme 
> that uses salts and key stretching (not plain MD5).
>  
> As you point out, if the passwords are in plain text, the admissions folks and possibly others can see their 
> passwords.  An attacker who compromises the system may also be able see them.  The threat is primarily to the 
> students, not the institution.  People reuse passwords.  An user with access to those passwords (authorized or not) 
> can use them along with the students’ other information to compromise accounts the students have on other systems: 
> Facebook, email, banking, etc.  If the password is used for access to other college systems, then having a student’s 
> password would also allow someone to potentially access information not in the original application (grades, student 
> email, financial aid).  Plaintext passwords are bad.
>  
> There should also be a mechanism in place for restricting who can see certain information such as social security 
> numbers. 
>  
> Best regards,
>  
> Steven Alexander Jr.
> Online Education Systems Manager
> Merced College
> 3600 M Street
> Merced, CA 95348-2898
> (209) 384-6191
> alexander.s () mccd edu
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Palmer, Kevin
> Sent: Tuesday, January 31, 2012 3:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Password security
>  
> Colleagues,
>   I apologize in advance for the cross listing, but it was suggested that this list may have some interesting 
> responses to this issue.
>  
>   I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users 
> (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about 
> themselves and eventually use this and additional information to submit an application to the institution.  We (Tech 
> staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in 
> admissions who work on the system.
>  
>   We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher 
> education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks 
> to question whether or not this is a “best practice”.  I think it is simply being prudent, and that there is no 
> reason for anyone to know another persons’ authentication credentials.  What are your thoughts?  Is this over-the-top 
> security?
>  
> Best regards,
> Kev
>   
> Kevin Palmer
> Chief Information Officer
> Columbia College
> 1001 Rogers Street
> Launer 9
> Columbia, MO 65216
> (573)875-7329
> kpalmer () ccis edu
> www.ccis.edu
>
> <image001.jpg>
>  
>
>   ­­