Password security

Posted by kpalmer@ccis.edu on January 31, 2012

Colleagues,

I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”. I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials. What are your thoughts? Is this over-the-top security?

Best regards,

Kev

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Attachment	Size
image001.jpg	2.91 KB

Post a Comment

Comments

Kev,

You should post this on the Educause Security Listserv. I am sure that the responses would, at the very least, be amusing. We encrypt.

Thanks,

Frank

F. X. Moore III, Ph.D.

Vice President for Information Technology, CIO and

Chief Privacy Officer

Longwood University

201 High Street

Farmville, VA 23909

(434) 395-2034 (voice)

(434) 395-2035 (fax)

moorefx@longwood.edu

Longwood University will never ask for your password. Don't ever divulge your password to anyone.

Posted by: moorefx@longwood.edu on January 31, 2012

Colleagues,

I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue.

Best regards,

Kev

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

Posted by: kpalmer@ccis.edu on January 31, 2012

Message from alexander.s@mccd.edu

I don’t think it’s over the top; it’s basic. The passwords should be hashed using a strong password hashing scheme that uses salts and key stretching (not plain MD5).

As you point out, if the passwords are in plain text, the admissions folks and possibly others can see their passwords. An attacker who compromises the system may also be able see them. The threat is primarily to the students, not the institution. People reuse passwords. An user with access to those passwords (authorized or not) can use them along with the students’ other information to compromise accounts the students have on other systems: Facebook, email, banking, etc. If the password is used for access to other college systems, then having a student’s password would also allow someone to potentially access information not in the original application (grades, student email, financial aid). Plaintext passwords are bad.

There should also be a mechanism in place for restricting who can see certain information such as social security numbers.

Best regards,

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

Posted by: listserv-anon on January 31, 2012

Message from ryan@ryanhiebert.com

Seconded. Plain text passwords are not acceptable.

Ryan Hiebert

Network Security Specialist

Pacific Union College

Posted by: listserv-anon on January 31, 2012

Encrypting passwords is essential for basic system security. It isn’t just best security practice: I think it would be challenging to talk about system security in any context where passwords were not encrypted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brian Basgen

Director of Client Services (Acting)

& Information Security Officer

Pima Community College

Office: 520-206-4873

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Posted by: bbasgen on January 31, 2012

Message from mclaugkl@ucmail.uc.edu

Agree, it's basic.

Kevin L. McLaughlin

Chief Information Security Officer (CISO) & Assistant Vice President

Administration & Finance

TEWG- Region 6 TLO

University of Cincinnati

Posted by: listserv-anon on January 31, 2012

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin, Storing passwords in an encrypted format is not over-the-top at all. Assuming that your users are perfect, the biggest risk here is that their personal information stored in the application could be exposed/modified (there's the C and the I from the security triad) by a malicious user who gains access to the password database (either by being one of those authorized users or by exploiting a weakness in the software). I'm guessing that the information stored here isn't all publicly available, and could even include highly sensitive data like SSNs that would be a major headache if they were compromised and leaked. As we know, few users are perfect. Most everyone reuses passwords, even among technical staff. What was previously a matter of the information stored in that system (which should be a major concern on its own), is now a matter of a malicious user potentially being able to impersonate this user on any of a number of other services where they have reused the login. If they reuse that password on their email account, then the attacker can now use that to reset any passwords that were set to something different. Cleartext passwords (or poorly hashed ones) are pretty much the worst case scenario in my mind when talking about potential vulnerabilities in an application. (Many universities, mine included, have policies in place that state that no passwords shall be stored in an unencrypted format.) Simply encrypting the passwords doesn't prevent everything bad. The data in the application could be exposed via other flaws, and all encryption can eventually be broken by a dedicated attacker who has gotten a copy of the data. That's the job of the rest of information security, though. Encrypted passwords are a good start and a perfectly reasonable request on your end. - -- Bob Bregant II Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3EF5417746B6DF9E Quis custodiet ipsos custodes? On 01/31/2012 05:00 PM, Palmer, Kevin wrote: > Colleagues, > I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. > > I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system. > > We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? > > Best regards, > Kev > > Kevin Palmer > Chief Information Officer > Columbia College > 1001 Rogers Street > Launer 9 > Columbia, MO 65216 > (573)875-7329 > kpalmer@ccis.edu > www.ccis.edu > > [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg] > > -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk8oeP4ACgkQPvVBd0a23543ZACg2tw7J+0x6rGigyRQtMIv03Gy exoAmgPKR+8wrzXiQUYaQGVLjUgigLtn =q9Kr -----END PGP SIGNATURE-----

Posted by: bregant2@illino... on January 31, 2012

Message from valdis.kletnieks@vt.edu

On Tue, 31 Jan 2012 23:00:55 GMT, "Palmer, Kevin" said: > We have asked about encrypting the passwords, and the vendor has told our > folks that no one else in higher education is encrypting passwords Gaak. This is like finding a brown M&M in the candy dish backstage at an Van Halen concert - at this point, you should *seriously* worry about what *ELSE* they are doing wrong.

Posted by: listserv-anon on January 31, 2012

Kevin, I agree with everyone else here that it would be "best practice". However, I've seen that our industry hasn't taken to security well due to cost concerns and fear of "the man". Times are changing though and we are starting to have to take it more seriously so it would be prudent to take action against this. Not sure if your CRM is any way tied to monetary transactions (since it's tied to admissions and enrollment), but it's practically a requirement if sensitive information is on, or can be associated with (same login passwords?), that system. If so, look at FERPA, FTC Red Flags rules, PCI and your local laws to determine what the requirements are. From what I've seen, the requirement set by the governing bodies really care more how you are mitigating risks and establishing compensating controls for systems that can't be fully hardened for whatever reason. It's also dependent on what your institution classifies as sensitive material. One could argue that you could be in for some steep fines or at least a credibility problem if any information was stolen and used elsewhere. How much is that worth to your institution and are they willing to take that risk? David Pirolo Warner Pacific College On Tue, 2012-01-31 at 23:00 +0000, Palmer, Kevin wrote: > Colleagues, > > I apologize in advance for the cross listing, but it was suggested > that this list may have some interesting responses to this issue. > > > > I have a question regarding a very large third party CRM vendor. As > expected, the vendor allows users (leads/applicants) to set up > password-protected accounts to enter in general and sensitive > information about themselves and eventually use this and additional > information to submit an application to the institution. We (Tech > staff) have recently learned that the user passwords are stored in > clear text, and are available to the employees in admissions who work > on the system. > > > > We have asked about encrypting the passwords, and the vendor has > told our folks that no one else in higher education is encrypting > passwords and that it would be difficult, leading our > admissions/enrollment management folks to question whether or not this > is a “best practice”. I think it is simply being prudent, and that > there is no reason for anyone to know another persons’ authentication > credentials. What are your thoughts? Is this over-the-top security? > > > > Best regards, > > Kev > > > > Kevin Palmer > > Chief Information Officer > > Columbia College > > 1001 Rogers Street > > Launer 9 > > Columbia, MO 65216 > > (573)875-7329 > > kpalmer@ccis.edu > > www.ccis.edu > > > > Description: Description: Description: Description: Description: > Description: Description: Description: CC_logo_4c_colorbuild_lg > > > >

Posted by: WPwebmaster on January 31, 2012

Kev,

We would never allow that.

Rick

--
Rick Matthews

Associate Provost for Technology & Information Systems

Wake Forest University

Posted by: rick1matthews on January 31, 2012

Kev,

Your inclination is correct. This is very bad vendor advice. So bad that it has prompted me to do my first ever reply to this list! Don't go along with this.

Good luck,

Mike Bourque

CIO

Boston College

Posted by: mikebourque on January 31, 2012

Hi, We do not keep any unencrypted UNI passwords - we are using Kerberos for all of our passwords - I question the validity of the vendors statement "no one else in higher education is encrypting passwords" - what is the context for this? The encryption applies to our University Ids. I do not know what vendors like Apply Yourself are doing internally, but I guess I will find out. My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 --On Tuesday, January 31, 2012 11:00 PM +0000 "Palmer, Kevin" wrote: > Colleagues, > I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. > > I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected > accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the > institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who > work on the system. > > We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it > would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being > prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? > > Best regards, > Kev > > Kevin Palmer > Chief Information Officer > Columbia College > 1001 Rogers Street > Launer 9 > Columbia, MO 65216 > (573)875-7329 > kpalmer@ccis.edu > www.ccis.edu > > [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg] > Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

Posted by: jlrcu on January 31, 2012

I think you should contact their CEO, or maybe their CISO, and ask if he hides the keys to his Mercedes above the visor. This is so bad it's funny. >>> "Moore, Frank" 01/31/12 13:33 PM >>> Kev, You should post this on the Educause Security Listserv. I am sure that the responses would, at the very least, be amusing. We encrypt. Thanks, Frank F. X. Moore III, Ph.D. Vice President for Information Technology, CIO and Chief Privacy Officer Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 (voice) (434) 395-2035 (fax) moorefx@longwood.edu Longwood University will never ask for your password. Don't ever divulge your password to anyone.

Posted by: rahmc on January 31, 2012

Better yet, why doN't they leave their credit card and drivers license with the admissions clerk for safe keeping keeping. Sent from my iPad

Posted by: syoung on February 1, 2012

Any vendor who has the gall to say this would be removed from my list of trustworthy providers. If a vendor says that something as basic as encrypting passwords "would be difficult" I hear them saying "we care more about our lack of effort than we do about your security."

Encrypted passwords are basic best practice security - demand it.

Robert E. Meyers, Ms.Ed.
Educational Program Manager
Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu

>>> On Tuesday, January 31, 2012 at 6:00 PM, "Palmer, Kevin" <kpalmer@CCIS.EDU> wrote:

Colleagues,

I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue.

We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security?

Best regards,

Kev

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

Posted by: remeyers on February 1, 2012

Message from dsarazen@umassp.edu

I Have to agree with Joel and Robert. That statement took me by surprise and the vendor should be considered suspect.

Good Luck!

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen@umassp.edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu

Confidentiality Note: This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.

Posted by: listserv-anon on February 1, 2012

Message from r-safian@northwestern.edu

Would this happen to be ApplyYourself? I had a very similar conversation with them several months ago, and if I am not mistaken there was some discussion here as well.

Posted by: listserv-anon on February 1, 2012

Hi Roger,

Being that this is an open list, I prefer not to name the vendor but will send it to you off-line.

Thanks

Kev

Kevin Palmer

CIO – Columbia College

Posted by: kpalmer@ccis.edu on February 1, 2012

Message from r-safian@northwestern.edu

IMHO, and not trying to be confrontational here, that only benefits the vendor, who, gets to hide in anonymity, and then give the same story to the next person who contacts them. One of the advantages of a list such as this is that it can put pressure on a company to do the right thing.

That being said, I understand your position.

Posted by: listserv-anon on February 1, 2012

Kevin,

This would never be acceptable for us. I concur with the other comments on this thread.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY 13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________

Posted by: jmoreau on February 1, 2012

I suspect your vendor sends the users their actual passwords instead of a reset when a “lost password request” is made.

I usually try to look at an issue from both sides in order to understand why I might NOT want something, but I just can’t see your vendor’s side on this. And in all honesty, my initial reaction to what your vendor told you isn’t appropriate to be posted here. But, from a neurotic –security-person point of view, I’d go one step further. If your usernames/passwords were stored unencrypted AND ACCESSIBLE as your describe, I’d notify all the account holders to change their passwords (after getting the mechanism properly encrypted).

-Brian

Posted by: bhelman on February 1, 2012

Harvard's rule is that passwords must not be recoverable at all (one-way encryption)

anything else lets the system manager masquerade as the user and later the system

manager get the user's password, which the user too frequently uses elsewhere

so I'd go a step even further and dump any vendor that can send a user their password

(sending the user a 1-time password to be used to create a new one is fine)

Scott O Bradner

Harvard University Information Technology

Innovation & Architecture

(P) +1 (617) 495 3864

29 Oxford St. Rm 407

Cambridge, MA 02138

Posted by: sob@harvard.edu on February 1, 2012

Bryan,

Excellent point regarding the password change after encryption… we will incorporate into our change plan.

Best regards,

Kev

Kevin Palmer

CIO – Columbia College

Posted by: kpalmer@ccis.edu on February 1, 2012

Hi, While I share everyone's concern about plain text passwords, there *are* many, many, mainstream applications that *do* store passwords unencrypted, and often in ways that are publicly accessible. (Anyone skeptical of this can quickly lose that skepticism via a little Google dorking, e.g., see for example http://www[dot]exploit-db[dot]com/google-dorks/9/ ) From my POV, the *real* issue is this: given that plain text passwords ARE out there all over the place, how do we get that problem sorted? I suspect that a straightforward find-and-notify strategy might be an excellent way to trigger a "shoot the messenger bearing bad news" sort of reaction, unfortunately. Regards, Joe

Posted by: joe1 on February 1, 2012

I'd have to agree with Joe here. Since it really isn't a requirement or a law to not store in plain-text, rather is just a best practice, the only ammo we have is putting pressure on the vendors by using the products that do adhere to best practice. The increasing pressure and monetary fines we face from our regulatory bodies are really making this more vital to increase the pressure on our vendors. Best way to put pressure on a vendor is to threaten to and start evaluating a competitor who is keeping up with the times. -David On Wed, 2012-02-01 at 16:21 -0800, Joe St Sauver wrote: > Hi, > > While I share everyone's concern about plain text passwords, there > *are* many, many, mainstream applications that *do* store passwords > unencrypted, and often in ways that are publicly accessible. > (Anyone skeptical of this can quickly lose that skepticism via a > little Google dorking, e.g., see for example > http://www[dot]exploit-db[dot]com/google-dorks/9/ ) > > From my POV, the *real* issue is this: given that plain text passwords > ARE out there all over the place, how do we get that problem sorted? > > I suspect that a straightforward find-and-notify strategy might be an > excellent way to trigger a "shoot the messenger bearing bad news" sort > of reaction, unfortunately. > > Regards, > > Joe

Posted by: WPwebmaster on February 2, 2012

Colleagues,

I concur with the consensus of the group - that is a "worst practice" situation.

Cal

==================================
Cal Coursey
Associate Chief Information Officer
Washington College
300 Washington Avenue
Chestertown, MD 21620
Phone: 410-778-7894
Fax: 410-778-7830
email: ccoursey2@washcoll.edu
web: http://oit.washcoll.edu/is.php
==================================

Colleagues,

I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”. I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials. What are your thoughts? Is this over-the-top security?

Best regards,

Kev

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: Cal Coursey on February 6, 2012

Passwords must ALWAYS be stored encrypted.

Chip

Chip Eckardt
CIO
University of Wisconsin-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
Phone: (715) 836-2381 Fax (715) 836-6001
eckardpp@uwec.edu

Posted by: eckardpp on February 6, 2012

Absolutely the passwords should be encrypted. It's one of the things on our check-list of evaluating vendor product.

Bill Betlej

Mary Baldwin College

Posted by: bbetlej on February 6, 2012

Message from shelf@westernu.edu

For our home grown, Academic Progress Portal solution, we go one step further: We hash passwords, and use different password salts for that hash, so even a DBA w/ full access to the un/pw tables would have a very, very difficult time deriving the passwords of the users.

Security is by design, before code, from day one.

It may be that your vendor should attend Defcon (http://defcon.org ) and / or read “The Web Hacker’s Handbook” (http://goo.gl/rv5K8 ) for some education and a reality check re. actual, day-to-day, widely uses and published, security threats.

My apologies if this sounds snarky, which I don’t mean to be—we are emphatic and passionate about this issue of security first, when it comes to software design.

Respectfully,

Scott Helf, DO, MSIT

Chief Technology Officer-COMP

Director, Academic Informatics

Assistant Professor

Department of Academic Informatics

Office of Academic Affairs

College of Osteopathic Medicine of the Pacific

Western University of Health Sciences

309 East 2nd Street

Pomona, CA 91766

909-781-4353

shelf@westernu.edu

www.westernu.edu

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bill Betlej

Sent: Monday, February 06, 2012 12:42 PM

To: CIO@LISTSERV.EDUCAUSE.EDU

Subject: Re: [CIO] Password security

Absolutely the passwords should be encrypted. It's one of the things on our check-list of evaluating vendor product.

Bill Betlej

Mary Baldwin College

Posted by: listserv-anon on February 6, 2012

I think you should ask them which other school has that software and then write the other schools security officers to see if un-encrypted passwords is ok with them. I am betting they mostly don't know and I am sure it is something most of them would like to know.

Neal McCorkle
NCSU

Posted by: NealMcCorkle on February 6, 2012

Message from shelf@westernu.edu

Sorry to pipe in, again, but when would storing passwords in clear text ever be okay?

Maybe I am missing something, but, I have a very, very hard time imagining storing passwords that way.

I.e., consensus, even at the CIO (or CEO, or President Obama level) does not a good or secure system make. Let the tech and security folks determine the correct design, and execute. This is a design / engineering issue, not political or consensus issue.

Don’t mean to start a flame war here, but, clearly, this is something, not just IMHO, but in the abstract, and absolute, needs to be fixed. That, or get “p4wn3d” as the “l33t h4x0rs” might put it.

It is only a matter of time, unless it has already happened…

And Kevin, I 100% agree w/ you that no one should ever know, or be able to derive, another’s’ credentials. That is not only bad, and unacceptable, but, truly, a dangerous software design flaw.

Now that the company knows and has been questioned about it, this may be a liability (read, legal, lawsuits, etc.) issue for the vendor and/or college, should they ever get hacked from inside or out, which, it seems, would be on the level of kiddie script stuff, from what is posted below.

Do you have a Chief Security Officer you can run this one by, Kev?

Respectfully,

-sch

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Neal McCorkle
Sent: Monday, February 06, 2012 1:08 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Password security

Posted by: listserv-anon on February 6, 2012

Message from alfred.essa@gmail.com

I want to second Bill Betlej's note. Although I now work for a vendor (Desire2Learn), most of my career I have been a CIO at several higher education institutions. I have also been responsible for enterprise infrastructure services, including operational security, for one of the largest higher education systems in the country.

Storing or transmitting passwords in clear text is never acceptable. Don't let anyone tell you otherwise.
Storing and transmitting encrypted passwords is trivial. If the vendor is telling you it's hard, my advice is run. You don't know what other corners they are likely to cut.

From a baseline security perspective passwords should never be stored nor transmitted in clear text. NEVER.

Alfred Essa
Director of Innovation, Analytics Strategy
Desire2Learn Incorporated
1-519-772-0325 x251

Alfred.Essa@Desire2Learn.com

Posted by: listserv-anon on February 6, 2012

Message from alfred.essa@gmail.com

I agree completely with Scott.

Posted by: listserv-anon on February 6, 2012

Hello Everyone,

I recently wrote a few posts about password security that I think (hope) will be of interest to the list. One of my primary motivations for writing these posts is that a lot of the advice/best practices that we have seem to be folk wisdom. Is 8 characters really a good minimum password length? Why not 7, or 9, or 15?

The posts are on my blog at http://bugcharmer.blogspot.com . I’m planning to write more on various application security issues, but everything I have so far is about passwords. I would love feedback, but please respond off-list unless you think it will be of general interest.

In case you want to jump to a specific topic, here are some additional links:

An introduction/history of password security (the post links to an article I published elsewhere)

http://bugcharmer.blogspot.com/2012/06/introduction-to-password-protection.html

What are we trying to prevent? What is the purpose of password salting/stretching, delay timers, lockouts, etc?

http://bugcharmer.blogspot.com/2012/06/passwords-attacks-and-threats.html

How long should passwords really be?

http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html

Rainbow tables aren’t as powerful as people think.

http://bugcharmer.blogspot.com/2012/06/rainbow-tables-not-considered-harmful.html

Regards,

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

Posted by: alexander.s@mccd.edu on June 25, 2012

Main Nav

Publications

Research

Major Conferences

Online Events

Special Topic Events

Events for all Levels and Interests

Career Center

Leadership and Management Programs

Fellowships and Awards

Getting Involved

Jump Start Your Career Growth

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

Join These Programs If Your Focus Is

From the Blogs

Find Others

Share Ideas

Get on the Higher Ed IT Map

2013 Strategic Priorities

Membership

Who We Are

Stay Informed

Uncommon Thinking for the Common Good™

Comments

Recommend

Research and Publications

Conferences and Events

Career Development

Focus Areas and Initiatives

Connect and Contribute

About EDUCAUSE

Publications

Research

Major Conferences

Online Events

Special Topic Events

Events for all Levels and Interests

Career Center

Leadership and Management Programs

Fellowships and Awards

Getting Involved

Jump Start Your Career Growth

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

Join These Programs If Your Focus Is

From the Blogs

Find Others

Share Ideas

Get on the Higher Ed IT Map

2013 Strategic Priorities

Membership

Who We Are

Stay Informed

Uncommon Thinking for the Common Good™