Educause Security Discussion mailing list archives
Re: Password security
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 1 Feb 2012 15:38:57 +0000
IMHO, and not trying to be confrontational here, that only benefits the vendor, who, gets to hide in anonymity, and then give the same story to the next person who contacts them. One of the advantages of a list such as this is that it can put pressure on a company to do the right thing. That being said, I understand your position. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Palmer, Kevin Sent: Wednesday, February 01, 2012 9:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password security Hi Roger, Being that this is an open list, I prefer not to name the vendor but will send it to you off-line. Thanks Kev Kevin Palmer CIO - Columbia College [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Roger A Safian Sent: Wednesday, February 01, 2012 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password security Would this happen to be ApplyYourself? I had a very similar conversation with them several months ago, and if I am not mistaken there was some discussion here as well. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Palmer, Kevin Sent: Tuesday, January 31, 2012 5:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password security Colleagues, I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system. We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? Best regards, Kev Kevin Palmer Chief Information Officer Columbia College 1001 Rogers Street Launer 9 Columbia, MO 65216 (573)875-7329 kpalmer () ccis edu<mailto:kpalmer () ccis edu> www.ccis.edu<http://www.ccis.edu/> [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg]
Current thread:
- Re: Password security, (continued)
- Re: Password security Valdis Kletnieks (Jan 31)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Brian Helman (Feb 01)
- Re: Password security Bradner, Scott (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Joe St Sauver (Feb 01)
- Re: Password security David Pirolo (Feb 02)