Educause Security Discussion mailing list archives

Re: Password security

From: "Palmer, Kevin" <kpalmer () CCIS EDU>
Date: Wed, 1 Feb 2012 20:16:00 +0000

Bryan,
  Excellent point regarding the password change after encryption... we will incorporate into our change plan.

Best regards,
Kev

Kevin Palmer
CIO - Columbia College

[Description: Description: Description: Description: Description: Description: Description: Description: 
CC_logo_4c_colorbuild_lg]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Wednesday, February 01, 2012 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password security

I suspect your vendor sends the users their actual passwords instead of a reset when a "lost password request" is made.

I usually try to look at an issue from both sides in order to understand why I might NOT want something, but I just 
can't see your vendor's side on this.   And in all honesty, my initial reaction to what your vendor told you isn't 
appropriate to be posted here.  But, from a neurotic -security-person point of view, I'd go one step further.  If your 
usernames/passwords were stored unencrypted AND ACCESSIBLE as your describe, I'd notify all the account holders to 
change their passwords (after getting the mechanism properly encrypted).

-Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Sarazen, Daniel
Sent: Wednesday, February 01, 2012 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password security

I Have to agree with Joel and Robert. That statement took me by surprise and the vendor should be considered suspect.

Good Luck!

[Description: http://media.umassp.edu/pix/mail/umass.gif]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>


Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain proprietary, 
confidential or privileged information.  If you are not the intended recipient(s), any dissemination, use, distribution 
or copying is strictly prohibited.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Robert Meyers
Sent: Wednesday, February 01, 2012 8:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password security

Any vendor who has the gall to say this would be removed from my list of trustworthy providers.  If a vendor says that 
something as basic as encrypting passwords "would be difficult" I hear them saying "we care more about our lack of 
effort than we do about your security."

Encrypted passwords are basic best practice security - demand it.





Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>

On Tuesday, January 31, 2012 at 6:00 PM, "Palmer, Kevin" <kpalmer () CCIS EDU<mailto:kpalmer () CCIS EDU>> wrote:

Colleagues,
  I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses 
to this issue.

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users 
(leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves 
and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have 
recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who 
work on the system.

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education 
is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question 
whether or not this is a "best practice".  I think it is simply being prudent, and that there is no reason for anyone 
to know another persons' authentication credentials.  What are your thoughts?  Is this over-the-top security?

Best regards,
Kev

Kevin Palmer
Chief Information Officer
Columbia College
1001 Rogers Street
Launer 9
Columbia, MO 65216
(573)875-7329
kpalmer () ccis edu<mailto:kpalmer () ccis edu>
www.ccis.edu<http://www.ccis.edu/>
[Description: Description: Description: Description: Description: Description: Description: Description: 
CC_logo_4c_colorbuild_lg]

Current thread:

Re: Password security, (continued)
- Re: Password security Basgen, Brian (Jan 31)
  - Re: Password security Mclaughlin, Kevin (mclaugkl) (Jan 31)
- Re: Password security Bob Bregant II (Jan 31)
- Re: Password security Valdis Kletnieks (Jan 31)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
  - Re: Password security Sarazen, Daniel (Feb 01)
    - Re: Password security Brian Helman (Feb 01)
    - Re: Password security Bradner, Scott (Feb 01)
    - Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
  - Re: Password security Palmer, Kevin (Feb 01)
    - Re: Password security Roger A Safian (Feb 01)
- Re: Password security Joe St Sauver (Feb 01)
  - Re: Password security David Pirolo (Feb 02)