[brlug-general] Email passwords are.. special?

Tim Fournet tfournet at tfour.net
Thu Feb 15 11:47:44 CST 2007 

You're assuming someone would be able to hack out an email password from 
a stolen device. I doubt many devices actually store the passwords in an 
easy-to-access cleartext sort of way. Usually this will require a 
brute-force attempt on the device, which would be extremely difficult 
given the nature of getting data out of a cell phone, for example.

We host email for users that use mobile devices. These devices use 
specialized software to push the email to them. With the software we use 
(NotifyLink), the device doesn't even know the true email password of 
the user. That information is stored on an intermediate server that sits 
between the real mail server and the user's device to push out that 
information. I'm pretty sure that the Blackberry Enterprise Server does 
something similar. I know that the  basic Blackberry services that the 
cell phone providers offer do the same as well.

Even if it is possible to somehow crack those passwords, given enough 
time, it would also be assumed that the user will notice that he's had a 
theft, and have been able to change his password as well. This is where 
it's advantageous to use a single sign-on for all his services. That way 
he's got a single password to have to change and most likely has an easy 
way to either do it himself or get administrative assistance in doing it.

If we're using separate passwords for email and other services, then the 
user may not even realize that fact. If he gets an email device stolen, 
he may change his password for 'other' services, not knowing that his 
email is still getting to the device. The thief then can potentially 
read that user's email, or masquerade as him and cause all kinds of damage.

In the case of a VPN client, it's within the policies of many VPN 
clients to not save passwords, and require the user to enter passwords 
for every login.

Considering the above, my vote is for a single, well protected, easy to 
change password for all of a user's activities. This keeps things very 
simple and makes it possible to enforce password complexity. It's a lot 
easier for a user to remember one complex password than many. In the 
event his secret password does get compromised, it's a one-step task to 
change it.

I've had a lot of success hosting accounts in Active Directory, and then 
using LDAP mechanisms to authenticate against it across several 
platforms. AD makes it easy for semi-technical people to manage 
accounts, and it's a predictable schema for building LDAP-aware 
applications to authenticate against.

-Tim

Dustin Puryear wrote:
> Agreed. How often do people tie their VPN into, for example, AD or
> LDAP? And how many people tie their email credentials to, for example,
> AD or LDAP? So if I get your email credentials from your lost
> cellphone or PDA, then I have your VPN credentials..
>
> This really has nothing to do with admins.
>
> ---
> Puryear Information Technology, LLC
> Baton Rouge, LA * 225-706-8414
> http://www.puryear-it.com
>
> Author:
>   "Best Practices for Managing Linux and UNIX Servers"
>   "Spam Fighting and Email Security in the 21st Century"
>
> Download your free copies:
>   http://www.puryear-it.com/publications.htm
>
>
> Wednesday, February 14, 2007, 6:40:32 PM, you wrote:
>
>   
>> The admin isn't the only user that has valuable information.  I don't
>> think we are talking only about network security, but data security as well.
>>     
>
>   
>> --mat
>>     
>
>   
>> Kevin Kreamer wrote:
>>     
>>> Dustin Puryear wrote:
>>>   
>>>       
>>>> What are your thoughts on whether email accounts should be separate
>>>> from normal network accounts? Pros? Cons? Should companies just not
>>>> allow external access to email via POP or IMAP and just require
>>>> Webmail access so users have to manually enter passwords? Does that
>>>> solve the real problem? I'm interested in hearing what everyone has to
>>>> say.
>>>>     
>>>>         
>>> I'm going to add here the opinion that if your network security relies
>>> on the security of non-admin user passwords, you've already got
>>> problems.  Likewise if your admins pick insecure passwords or write them
>>> down in sticky notes.
>>>
>>> Kevin
>>>
>>>
>>> _______________________________________________
>>> General mailing list
>>> General at brlug.net
>>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>>
>>>   
>>>       
>
>   
>> _______________________________________________
>> General mailing list
>> General at brlug.net
>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>     
>
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>

More information about the General mailing list