Re: student password requirements for third party sites

[Steven Alexander <alexander.s () MCCD EDU>]

As you mentioned, it would be best if the site uses SSO so that it doesn't have to store passwords at all.

If the billboard site is going to store passwords, encourage them to use bcrypt, scrypt, or PBKDF2 for password hashing 
to reduce the risk of student accounts being compromised subsequent to an attack on their site.  If they're using 
MD5/SHA, it's almost as bad as plain text.    

Steven Alexander
Online Education Systems Manager
Merced College
alexander.s () mccd edu
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of David Pirolo 
[webmaster () WARNERPACIFIC EDU]
Sent: Thursday, July 05, 2012 4:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] student password requirements for third party sites

We are looking at adopting a 3rd party website to host our student
billboard service (housing, lost/found, etc).  To limit who can post,
this site requires an institutional email address as the username.  It
also requires a password.

I was thinking about this and wondering what risk these sorts of
services pose to an institution as, most likely, the user will use the
same password as the one they use to log into our systems. Since this is
hosted offsite, one would just need to hack this site to get access to
student accounts.

I was having a conversation with the owner of this service and suggested
it might be better to include a proxy service similar to ezproxy.

I'm curious to know how other institutions have handled this?  Do you
ignore it and put up a disclaimer, would you push to host this
internally??  Ideally it would tie into some sort of SSO or Federated
system like Shibboleth.

Thoughts?

David Pirolo
Warner Pacific College

This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.