Educause Security Discussion mailing list archives
Re: Password security
From: David Pirolo <webmaster () WARNERPACIFIC EDU>
Date: Thu, 2 Feb 2012 10:37:23 -0800
I'd have to agree with Joe here. Since it really isn't a requirement or a law to not store in plain-text, rather is just a best practice, the only ammo we have is putting pressure on the vendors by using the products that do adhere to best practice. The increasing pressure and monetary fines we face from our regulatory bodies are really making this more vital to increase the pressure on our vendors. Best way to put pressure on a vendor is to threaten to and start evaluating a competitor who is keeping up with the times. -David On Wed, 2012-02-01 at 16:21 -0800, Joe St Sauver wrote:
Hi, While I share everyone's concern about plain text passwords, there *are* many, many, mainstream applications that *do* store passwords unencrypted, and often in ways that are publicly accessible. (Anyone skeptical of this can quickly lose that skepticism via a little Google dorking, e.g., see for example http://www[dot]exploit-db[dot]com/google-dorks/9/ ) From my POV, the *real* issue is this: given that plain text passwords ARE out there all over the place, how do we get that problem sorted? I suspect that a straightforward find-and-notify strategy might be an excellent way to trigger a "shoot the messenger bearing bad news" sort of reaction, unfortunately. Regards, Joe
Current thread:
- Re: Password security, (continued)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Brian Helman (Feb 01)
- Re: Password security Bradner, Scott (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Joe St Sauver (Feb 01)
- Re: Password security David Pirolo (Feb 02)