Educause Security Discussion mailing list archives
Re: student password requirements for third party sites
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Wed, 11 Jul 2012 00:03:14 +0000
As you mentioned, it would be best if the site uses SSO so that it doesn't have to store passwords at all. If the billboard site is going to store passwords, encourage them to use bcrypt, scrypt, or PBKDF2 for password hashing to reduce the risk of student accounts being compromised subsequent to an attack on their site. If they're using MD5/SHA, it's almost as bad as plain text. Steven Alexander Online Education Systems Manager Merced College alexander.s () mccd edu ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of David Pirolo [webmaster () WARNERPACIFIC EDU] Sent: Thursday, July 05, 2012 4:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] student password requirements for third party sites We are looking at adopting a 3rd party website to host our student billboard service (housing, lost/found, etc). To limit who can post, this site requires an institutional email address as the username. It also requires a password. I was thinking about this and wondering what risk these sorts of services pose to an institution as, most likely, the user will use the same password as the one they use to log into our systems. Since this is hosted offsite, one would just need to hack this site to get access to student accounts. I was having a conversation with the owner of this service and suggested it might be better to include a proxy service similar to ezproxy. I'm curious to know how other institutions have handled this? Do you ignore it and put up a disclaimer, would you push to host this internally?? Ideally it would tie into some sort of SSO or Federated system like Shibboleth. Thoughts? David Pirolo Warner Pacific College This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- student password requirements for third party sites David Pirolo (Jul 05)
- Re: student password requirements for third party sites Steven Alexander (Jul 10)