Main Nav

We are looking at adopting a 3rd party website to host our student billboard service (housing, lost/found, etc). To limit who can post, this site requires an institutional email address as the username. It also requires a password. I was thinking about this and wondering what risk these sorts of services pose to an institution as, most likely, the user will use the same password as the one they use to log into our systems. Since this is hosted offsite, one would just need to hack this site to get access to student accounts. I was having a conversation with the owner of this service and suggested it might be better to include a proxy service similar to ezproxy. I'm curious to know how other institutions have handled this? Do you ignore it and put up a disclaimer, would you push to host this internally?? Ideally it would tie into some sort of SSO or Federated system like Shibboleth. Thoughts? David Pirolo Warner Pacific College


As you mentioned, it would be best if the site uses SSO so that it doesn't have to store passwords at all. If the billboard site is going to store passwords, encourage them to use bcrypt, scrypt, or PBKDF2 for password hashing to reduce the risk of student accounts being compromised subsequent to an attack on their site. If they're using MD5/SHA, it's almost as bad as plain text. Steven Alexander Online Education Systems Manager Merced College ________________________________________