student password requirements for third party sites

[David Pirolo <webmaster () WARNERPACIFIC EDU>]

We are looking at adopting a 3rd party website to host our student
billboard service (housing, lost/found, etc).  To limit who can post,
this site requires an institutional email address as the username.  It
also requires a password.  

I was thinking about this and wondering what risk these sorts of
services pose to an institution as, most likely, the user will use the
same password as the one they use to log into our systems. Since this is
hosted offsite, one would just need to hack this site to get access to
student accounts.

I was having a conversation with the owner of this service and suggested
it might be better to include a proxy service similar to ezproxy.

I'm curious to know how other institutions have handled this?  Do you
ignore it and put up a disclaimer, would you push to host this
internally??  Ideally it would tie into some sort of SSO or Federated
system like Shibboleth.

Thoughts?

David Pirolo
Warner Pacific College