Main Nav

Colleagues,

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

 

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”.  I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials.  What are your thoughts?  Is this over-the-top security?

 

Best regards,

Kev

 

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
image001.jpg2.91 KB

Comments

Kev,

 

You should post this on the Educause Security Listserv. I am sure that the responses would, at the very least, be amusing. We encrypt.

 

Thanks,

 

Frank

 

F. X. Moore III, Ph.D.

Vice President for Information Technology, CIO and

Chief Privacy Officer

Longwood University

201 High Street

Farmville, VA 23909

 

(434) 395-2034 (voice)

(434) 395-2035 (fax)

 

moorefx@longwood.edu

 

Longwood University will never ask for your password. Don't ever divulge your password to anyone.

 

Colleagues,

  I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue.

 

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

 

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”.  I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials.  What are your thoughts?  Is this over-the-top security?

 

Best regards,

Kev

  

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

 

Message from alexander.s@mccd.edu

I don’t think it’s over the top; it’s basic.  The passwords should be hashed using a strong password hashing scheme that uses salts and key stretching (not plain MD5).

 

As you point out, if the passwords are in plain text, the admissions folks and possibly others can see their passwords.  An attacker who compromises the system may also be able see them.  The threat is primarily to the students, not the institution.  People reuse passwords.  An user with access to those passwords (authorized or not) can use them along with the students’ other information to compromise accounts the students have on other systems: Facebook, email, banking, etc.  If the password is used for access to other college systems, then having a student’s password would also allow someone to potentially access information not in the original application (grades, student email, financial aid).  Plaintext passwords are bad.

 

There should also be a mechanism in place for restricting who can see certain information such as social security numbers. 

 

Best regards,

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

 

Message from ryan@ryanhiebert.com

Seconded. Plain text passwords are not acceptable.

Ryan Hiebert
Network Security Specialist
Pacific Union College

 

Encrypting passwords is essential for basic system security. It isn’t just best security practice: I think it would be challenging to talk about system security in any context where passwords were not encrypted.  

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brian Basgen

Director of Client Services (Acting)

& Information Security Officer

Pima Community College

Office: 520-206-4873

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Message from mclaugkl@ucmail.uc.edu

Agree, it's basic.


Kevin L. McLaughlin
Chief Information Security Officer (CISO) & Assistant Vice President
Administration & Finance
TEWG- Region 6 TLO

University of Cincinnati




-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin, Storing passwords in an encrypted format is not over-the-top at all. Assuming that your users are perfect, the biggest risk here is that their personal information stored in the application could be exposed/modified (there's the C and the I from the security triad) by a malicious user who gains access to the password database (either by being one of those authorized users or by exploiting a weakness in the software). I'm guessing that the information stored here isn't all publicly available, and could even include highly sensitive data like SSNs that would be a major headache if they were compromised and leaked. As we know, few users are perfect. Most everyone reuses passwords, even among technical staff. What was previously a matter of the information stored in that system (which should be a major concern on its own), is now a matter of a malicious user potentially being able to impersonate this user on any of a number of other services where they have reused the login. If they reuse that password on their email account, then the attacker can now use that to reset any passwords that were set to something different. Cleartext passwords (or poorly hashed ones) are pretty much the worst case scenario in my mind when talking about potential vulnerabilities in an application. (Many universities, mine included, have policies in place that state that no passwords shall be stored in an unencrypted format.) Simply encrypting the passwords doesn't prevent everything bad. The data in the application could be exposed via other flaws, and all encryption can eventually be broken by a dedicated attacker who has gotten a copy of the data. That's the job of the rest of information security, though. Encrypted passwords are a good start and a perfectly reasonable request on your end. - -- Bob Bregant II Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3EF5417746B6DF9E Quis custodiet ipsos custodes? On 01/31/2012 05:00 PM, Palmer, Kevin wrote: > Colleagues, > I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. > > I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system. > > We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? > > Best regards, > Kev > > Kevin Palmer > Chief Information Officer > Columbia College > 1001 Rogers Street > Launer 9 > Columbia, MO 65216 > (573)875-7329 > kpalmer@ccis.edu > www.ccis.edu > > [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg] > > -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk8oeP4ACgkQPvVBd0a23543ZACg2tw7J+0x6rGigyRQtMIv03Gy exoAmgPKR+8wrzXiQUYaQGVLjUgigLtn =q9Kr -----END PGP SIGNATURE-----
Message from valdis.kletnieks@vt.edu

On Tue, 31 Jan 2012 23:00:55 GMT, "Palmer, Kevin" said: > We have asked about encrypting the passwords, and the vendor has told our > folks that no one else in higher education is encrypting passwords Gaak. This is like finding a brown M&M in the candy dish backstage at an Van Halen concert - at this point, you should *seriously* worry about what *ELSE* they are doing wrong.
Kevin, I agree with everyone else here that it would be "best practice". However, I've seen that our industry hasn't taken to security well due to cost concerns and fear of "the man". Times are changing though and we are starting to have to take it more seriously so it would be prudent to take action against this. Not sure if your CRM is any way tied to monetary transactions (since it's tied to admissions and enrollment), but it's practically a requirement if sensitive information is on, or can be associated with (same login passwords?), that system. If so, look at FERPA, FTC Red Flags rules, PCI and your local laws to determine what the requirements are. From what I've seen, the requirement set by the governing bodies really care more how you are mitigating risks and establishing compensating controls for systems that can't be fully hardened for whatever reason. It's also dependent on what your institution classifies as sensitive material. One could argue that you could be in for some steep fines or at least a credibility problem if any information was stolen and used elsewhere. How much is that worth to your institution and are they willing to take that risk? David Pirolo Warner Pacific College On Tue, 2012-01-31 at 23:00 +0000, Palmer, Kevin wrote: > Colleagues, > > I apologize in advance for the cross listing, but it was suggested > that this list may have some interesting responses to this issue. > > > > I have a question regarding a very large third party CRM vendor. As > expected, the vendor allows users (leads/applicants) to set up > password-protected accounts to enter in general and sensitive > information about themselves and eventually use this and additional > information to submit an application to the institution. We (Tech > staff) have recently learned that the user passwords are stored in > clear text, and are available to the employees in admissions who work > on the system. > > > > We have asked about encrypting the passwords, and the vendor has > told our folks that no one else in higher education is encrypting > passwords and that it would be difficult, leading our > admissions/enrollment management folks to question whether or not this > is a “best practice”. I think it is simply being prudent, and that > there is no reason for anyone to know another persons’ authentication > credentials. What are your thoughts? Is this over-the-top security? > > > > Best regards, > > Kev > > > > Kevin Palmer > > Chief Information Officer > > Columbia College > > 1001 Rogers Street > > Launer 9 > > Columbia, MO 65216 > > (573)875-7329 > > kpalmer@ccis.edu > > www.ccis.edu > > > > Description: Description: Description: Description: Description: > Description: Description: Description: CC_logo_4c_colorbuild_lg > > > >
Kev,

We would never allow that.

Rick
Associate Provost for Technology & Information Systems
Wake Forest University


Kev,
Your inclination is correct. This is very bad vendor advice.  So bad that it has prompted me to do my first ever reply to this list!  Don't go along with this.  
Good luck,
Mike Bourque
CIO
Boston College




Hi, We do not keep any unencrypted UNI passwords - we are using Kerberos for all of our passwords - I question the validity of the vendors statement "no one else in higher education is encrypting passwords" - what is the context for this? The encryption applies to our University Ids. I do not know what vendors like Apply Yourself are doing internally, but I guess I will find out. My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 --On Tuesday, January 31, 2012 11:00 PM +0000 "Palmer, Kevin" wrote: > Colleagues, > I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. > > I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected > accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the > institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who > work on the system. > > We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it > would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice". I think it is simply being > prudent, and that there is no reason for anyone to know another persons' authentication credentials. What are your thoughts? Is this over-the-top security? > > Best regards, > Kev > > Kevin Palmer > Chief Information Officer > Columbia College > 1001 Rogers Street > Launer 9 > Columbia, MO 65216 > (573)875-7329 > kpalmer@ccis.edu > www.ccis.edu > > [Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg] > Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
I think you should contact their CEO, or maybe their CISO, and ask if he hides the keys to his Mercedes above the visor. This is so bad it's funny. >>> "Moore, Frank" 01/31/12 13:33 PM >>> Kev, You should post this on the Educause Security Listserv. I am sure that the responses would, at the very least, be amusing. We encrypt. Thanks, Frank F. X. Moore III, Ph.D. Vice President for Information Technology, CIO and Chief Privacy Officer Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 (voice) (434) 395-2035 (fax) moorefx@longwood.edu Longwood University will never ask for your password. Don't ever divulge your password to anyone.
Better yet, why doN't they leave their credit card and drivers license with the admissions clerk for safe keeping keeping. Sent from my iPad
Any vendor who has the gall to say this would be removed from my list of trustworthy providers.  If a vendor says that something as basic as encrypting passwords "would be difficult" I hear them saying "we care more about our lack of effort than we do about your security." 
 
Encrypted passwords are basic best practice security - demand it.
 


 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


>>> On Tuesday, January 31, 2012 at 6:00 PM, "Palmer, Kevin" <kpalmer@CCIS.EDU> wrote:

Colleagues,

  I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue.

 

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

 

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a "best practice".  I think it is simply being prudent, and that there is no reason for anyone to know another persons' authentication credentials.  What are your thoughts?  Is this over-the-top security?

 

Best regards,

Kev

  

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

 

Message from dsarazen@umassp.edu

I Have to agree with Joel and Robert. That statement took me by surprise and the vendor should be considered suspect.

 

Good Luck!

 

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen@umassp.edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu

 

Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.  If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.

 

 

 

Message from r-safian@northwestern.edu

Would this happen to be ApplyYourself?  I had a very similar conversation with them several months ago, and if I am not mistaken there was some discussion here as well.

 

Hi Roger,

  Being that this is an open list, I prefer not to name the vendor but will send it to you off-line.

Thanks

Kev

 

Kevin Palmer

CIO – Columbia College

 

Message from r-safian@northwestern.edu

 

IMHO, and not trying to be confrontational here, that only benefits the vendor, who, gets to hide in anonymity, and then give the same story to the next person who contacts them.  One of the advantages of a list such as this is that it can put pressure on a company to do the right thing.

 

That being said, I understand your position. 

 

Kevin,

This would never be acceptable for us.  I concur with the other comments on this thread.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


I suspect your vendor sends the users their actual passwords instead of a reset when a “lost password request” is made.

 

I usually try to look at an issue from both sides in order to understand why I might NOT want something, but I just can’t see your vendor’s side on this.   And in all honesty, my initial reaction to what your vendor told you isn’t appropriate to be posted here.  But, from a neurotic –security-person point of view, I’d go one step further.  If your usernames/passwords were stored unencrypted AND ACCESSIBLE as your describe, I’d notify all the account holders to change their passwords (after getting the mechanism properly encrypted).

 

-Brian

 

Harvard's rule is that passwords must not be recoverable at all (one-way encryption)

anything else lets the system manager masquerade as the user and later the system
manager get the user's password, which the user too frequently uses elsewhere

so I'd go a step even further and dump any vendor that can send a user their password
(sending the user a 1-time password to be used to create a new one is fine)

Scott O Bradner

Harvard University Information Technology
Innovation & Architecture
(P) +1 (617) 495 3864
29 Oxford St. Rm 407
Cambridge, MA 02138



Bryan,

  Excellent point regarding the password change after encryption… we will incorporate into our change plan.

 

Best regards,

Kev

 

Kevin Palmer

CIO – Columbia College

 

Hi, While I share everyone's concern about plain text passwords, there *are* many, many, mainstream applications that *do* store passwords unencrypted, and often in ways that are publicly accessible. (Anyone skeptical of this can quickly lose that skepticism via a little Google dorking, e.g., see for example http://www[dot]exploit-db[dot]com/google-dorks/9/ ) From my POV, the *real* issue is this: given that plain text passwords ARE out there all over the place, how do we get that problem sorted? I suspect that a straightforward find-and-notify strategy might be an excellent way to trigger a "shoot the messenger bearing bad news" sort of reaction, unfortunately. Regards, Joe
I'd have to agree with Joe here. Since it really isn't a requirement or a law to not store in plain-text, rather is just a best practice, the only ammo we have is putting pressure on the vendors by using the products that do adhere to best practice. The increasing pressure and monetary fines we face from our regulatory bodies are really making this more vital to increase the pressure on our vendors. Best way to put pressure on a vendor is to threaten to and start evaluating a competitor who is keeping up with the times. -David On Wed, 2012-02-01 at 16:21 -0800, Joe St Sauver wrote: > Hi, > > While I share everyone's concern about plain text passwords, there > *are* many, many, mainstream applications that *do* store passwords > unencrypted, and often in ways that are publicly accessible. > (Anyone skeptical of this can quickly lose that skepticism via a > little Google dorking, e.g., see for example > http://www[dot]exploit-db[dot]com/google-dorks/9/ ) > > From my POV, the *real* issue is this: given that plain text passwords > ARE out there all over the place, how do we get that problem sorted? > > I suspect that a straightforward find-and-notify strategy might be an > excellent way to trigger a "shoot the messenger bearing bad news" sort > of reaction, unfortunately. > > Regards, > > Joe
Colleagues,

I concur with the consensus of the group - that is a "worst practice" situation.

Cal


==================================
Cal Coursey
Associate Chief Information Officer
Washington College
300 Washington Avenue
Chestertown, MD 21620
Phone:  410-778-7894
Fax:    410-778-7830
email: ccoursey2@washcoll.edu
web:   http://oit.washcoll.edu/is.php
==================================


Colleagues,

  I have a question regarding a very large third party CRM vendor.  As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution.  We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system.

 

  We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”.  I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials.  What are your thoughts?  Is this over-the-top security?

 

Best regards,

Kev

 

Kevin Palmer

Chief Information Officer

Columbia College

1001 Rogers Street

Launer 9

Columbia, MO 65216

(573)875-7329

kpalmer@ccis.edu

www.ccis.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Passwords must ALWAYS be stored encrypted.

 

Chip

Chip Eckardt
CIO
University of Wisconsin-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
Phone: (715) 836-2381 Fax (715) 836-6001
eckardpp@uwec.edu

 

 

 

Absolutely the passwords should be encrypted. It's one of the things on our check-list of evaluating vendor product.

Bill Betlej
Mary Baldwin College 

Message from shelf@westernu.edu

For our home grown, Academic Progress Portal solution, we go one step further: We hash passwords, and use different password salts for that hash, so even a DBA w/ full access to the un/pw tables would have a very, very difficult time deriving the passwords of the users.

 

Security is by design, before code, from day one.

 

It may be that your vendor should attend Defcon (http://defcon.org ) and / or read “The Web Hacker’s Handbook” (http://goo.gl/rv5K8 ) for some education and a reality check re. actual, day-to-day, widely uses and published, security threats.

 

My apologies if this sounds snarky, which I don’t mean to be—we are emphatic and passionate about this issue of security first, when it comes to software design.

 

Respectfully,

 

Scott Helf, DO, MSIT

Chief Technology Officer-COMP

Director, Academic Informatics

Assistant Professor

 

Department of Academic Informatics

Office of Academic Affairs

College of Osteopathic Medicine of the Pacific

Western University of Health Sciences

309 East 2nd Street

Pomona, CA  91766

 

909-781-4353

shelf@westernu.edu

 

www.westernu.edu

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bill Betlej

Sent: Monday, February 06, 2012 12:42 PM

To: CIO@LISTSERV.EDUCAUSE.EDU

Subject: Re: [CIO] Password security

 

Absolutely the passwords should be encrypted. It's one of the things on our check-list of evaluating vendor product.

 

Bill Betlej

Mary Baldwin College

I think you should ask them which other school has that software and then write the other schools security officers to see if un-encrypted passwords is ok with them.  I am betting they mostly don't know and I am sure it is something most of them would like to know.

Neal McCorkle
NCSU

Message from shelf@westernu.edu

Sorry to pipe in, again, but when would storing passwords in clear text ever be okay?

 

Maybe I am missing something, but, I have a very, very hard time imagining storing passwords that way.

 

I.e., consensus, even at the CIO (or CEO, or President Obama level) does not a good or secure system make. Let the tech and security folks determine the correct design, and execute. This is a design / engineering issue, not political or consensus issue.

 

Don’t mean to start a flame war here, but, clearly, this is something, not just IMHO, but in the abstract, and absolute, needs to be fixed. That, or get “p4wn3d” as the “l33t h4x0rs” might put it.

 

It is only a matter of time, unless it has already happened…

 

And Kevin, I 100% agree w/ you that no one should ever know, or be able to derive, another’s’ credentials. That is not only bad, and unacceptable, but, truly, a dangerous software design flaw.

 

Now that the company knows and has been questioned about it, this may be a liability (read, legal, lawsuits, etc.) issue for the vendor and/or college, should they ever get hacked from inside or out, which, it seems, would be on the level of kiddie script stuff, from what is posted below.

 

Do you have a Chief Security Officer you can run this one by, Kev?

 

Respectfully,

 

-sch

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Neal McCorkle
Sent: Monday, February 06, 2012 1:08 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Password security

 

I think you should ask them which other school has that software and then write the other schools security officers to see if un-encrypted passwords is ok with them.  I am betting they mostly don't know and I am sure it is something most of them would like to know.

Neal McCorkle
NCSU

Message from alfred.essa@gmail.com

I want to second Bill Betlej's note. Although I now work for a vendor (Desire2Learn), most of my career I have been a CIO at several higher education institutions. I have also been responsible for enterprise infrastructure services, including operational security, for one of the largest higher education systems in the country. 
  • Storing or transmitting passwords in clear text is never acceptable. Don't let anyone tell you otherwise.
  • Storing and transmitting encrypted passwords is trivial. If the vendor is telling you it's hard, my advice is run. You don't know what other corners they are likely to cut.

From a baseline security perspective passwords should never be stored nor transmitted in clear text. NEVER. 

Alfred Essa
Director of Innovation, Analytics Strategy
Desire2Learn Incorporated
1-519-772-0325 x251

Alfred.Essa@Desire2Learn.com



Message from alfred.essa@gmail.com

I agree completely with Scott. 

Hello Everyone,

 

I recently wrote a few posts about password security that I think (hope) will be of interest to the list.  One of my primary motivations for writing these posts is that a lot of the advice/best practices that we have seem to be folk wisdom.  Is 8 characters really a good minimum password length?  Why not 7, or 9, or 15?

 

The posts are on my blog at http://bugcharmer.blogspot.com .  I’m planning to write more on various application security issues, but everything I have so far is about passwords.  I would love feedback, but please respond off-list unless you think it will be of general interest.

 

In case you want to jump to a specific topic, here are some additional links:

 

An introduction/history of password security (the post links to an article I published elsewhere)

http://bugcharmer.blogspot.com/2012/06/introduction-to-password-protection.html

 

What are we trying to prevent?  What is the purpose of password salting/stretching, delay timers, lockouts, etc?

http://bugcharmer.blogspot.com/2012/06/passwords-attacks-and-threats.html

 

How long should passwords really be? 

http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html

 

Rainbow tables aren’t as powerful as people think.

http://bugcharmer.blogspot.com/2012/06/rainbow-tables-not-considered-harmful.html

 

Regards,

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

 


  ­­