Educause Security Discussion mailing list archives
Re: Password security
From: Bob Bregant II <bregant2 () ILLINOIS EDU>
Date: Tue, 31 Jan 2012 17:28:00 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin, Storing passwords in an encrypted format is not over-the-top at all. Assuming that your users are perfect, the biggest risk here is that their personal information stored in the application could be exposed/modified (there's the C and the I from the security triad) by a malicious user who gains access to the password database (either by being one of those authorized users or by exploiting a weakness in the software). I'm guessing that the information stored here isn't all publicly available, and could even include highly sensitive data like SSNs that would be a major headache if they were compromised and leaked. As we know, few users are perfect. Most everyone reuses passwords, even among technical staff. What was previously a matter of the information stored in that system (which should be a major concern on its own), is now a matter of a malicious user potentially being able to impersonate this user on any of a number of other services where they have reused the login. If they reuse that password on their email account, then the attacker can now use that to reset any passwords that were set to something different. Cleartext passwords (or poorly hashed ones) are pretty much the worst case scenario in my mind when talking about potential vulnerabilities in an application. (Many universities, mine included, have policies in place that state that no passwords shall be stored in an unencrypted format.) Simply encrypting the passwords doesn't prevent everything bad. The data in the application could be exposed via other flaws, and all encryption can eventually be broken by a dedicated attacker who has gotten a copy of the data. That's the job of the rest of information security, though. Encrypted passwords are a good start and a perfectly reasonable request on your end. - -- Bob Bregant II Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3EF5417746B6DF9E Quis custodiet ipsos custodes? On 01/31/2012 05:00 PM, Palmer, Kevin wrote:
Colleagues, I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system. We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? Best regards, Kev Kevin Palmer Chief Information Officer Columbia College 1001 Rogers Street Launer 9 Columbia, MO 65216 (573)875-7329 kpalmer () ccis edu<mailto:kpalmer () ccis edu> www.ccis.edu<http://www.ccis.edu/> [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg]
-----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk8oeP4ACgkQPvVBd0a23543ZACg2tw7J+0x6rGigyRQtMIv03Gy exoAmgPKR+8wrzXiQUYaQGVLjUgigLtn =q9Kr -----END PGP SIGNATURE-----
Current thread:
- Password security Palmer, Kevin (Jan 31)
- Re: Password security Steven Alexander (Jan 31)
- Re: Password security Ryan D Hiebert (Jan 31)
- Re: Password security Basgen, Brian (Jan 31)
- Re: Password security Mclaughlin, Kevin (mclaugkl) (Jan 31)
- Re: Password security Bob Bregant II (Jan 31)
- Re: Password security Valdis Kletnieks (Jan 31)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Brian Helman (Feb 01)
- Re: Password security Bradner, Scott (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Steven Alexander (Jan 31)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)