[brlug-general] Email passwords are.. special?

Dustin Puryear dustin at puryear-it.com
Thu Feb 15 12:25:42 CST 2007 

I think your being a tad optimistic about the state of security for
PDAs and cells:

http://www.pointsec.com/news/newsreleases/release.cfm?PressId=44
http://www.net-security.org/article.php?id=533

---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author:
  "Best Practices for Managing Linux and UNIX Servers"
  "Spam Fighting and Email Security in the 21st Century"

Download your free copies:
  http://www.puryear-it.com/publications.htm


Thursday, February 15, 2007, 11:47:44 AM, you wrote:

> You're assuming someone would be able to hack out an email password from
> a stolen device. I doubt many devices actually store the passwords in an
> easy-to-access cleartext sort of way. Usually this will require a 
> brute-force attempt on the device, which would be extremely difficult 
> given the nature of getting data out of a cell phone, for example.

> We host email for users that use mobile devices. These devices use 
> specialized software to push the email to them. With the software we use
> (NotifyLink), the device doesn't even know the true email password of 
> the user. That information is stored on an intermediate server that sits
> between the real mail server and the user's device to push out that 
> information. I'm pretty sure that the Blackberry Enterprise Server does
> something similar. I know that the  basic Blackberry services that the
> cell phone providers offer do the same as well.

> Even if it is possible to somehow crack those passwords, given enough 
> time, it would also be assumed that the user will notice that he's had a
> theft, and have been able to change his password as well. This is where
> it's advantageous to use a single sign-on for all his services. That way
> he's got a single password to have to change and most likely has an easy
> way to either do it himself or get administrative assistance in doing it.

> If we're using separate passwords for email and other services, then the
> user may not even realize that fact. If he gets an email device stolen,
> he may change his password for 'other' services, not knowing that his 
> email is still getting to the device. The thief then can potentially 
> read that user's email, or masquerade as him and cause all kinds of damage.

> In the case of a VPN client, it's within the policies of many VPN 
> clients to not save passwords, and require the user to enter passwords
> for every login.

> Considering the above, my vote is for a single, well protected, easy to
> change password for all of a user's activities. This keeps things very
> simple and makes it possible to enforce password complexity. It's a lot
> easier for a user to remember one complex password than many. In the 
> event his secret password does get compromised, it's a one-step task to
> change it.

> I've had a lot of success hosting accounts in Active Directory, and then
> using LDAP mechanisms to authenticate against it across several 
> platforms. AD makes it easy for semi-technical people to manage 
> accounts, and it's a predictable schema for building LDAP-aware 
> applications to authenticate against.

> -Tim

> Dustin Puryear wrote:
>> Agreed. How often do people tie their VPN into, for example, AD or
>> LDAP? And how many people tie their email credentials to, for example,
>> AD or LDAP? So if I get your email credentials from your lost
>> cellphone or PDA, then I have your VPN credentials..
>>
>> This really has nothing to do with admins.
>>
>> ---
>> Puryear Information Technology, LLC
>> Baton Rouge, LA * 225-706-8414
>> http://www.puryear-it.com
>>
>> Author:
>>   "Best Practices for Managing Linux and UNIX Servers"
>>   "Spam Fighting and Email Security in the 21st Century"
>>
>> Download your free copies:
>>   http://www.puryear-it.com/publications.htm
>>
>>
>> Wednesday, February 14, 2007, 6:40:32 PM, you wrote:
>>
>>   
>>> The admin isn't the only user that has valuable information.  I don't
>>> think we are talking only about network security, but data security as well.
>>>     
>>
>>   
>>> --mat
>>>     
>>
>>   
>>> Kevin Kreamer wrote:
>>>     
>>>> Dustin Puryear wrote:
>>>>   
>>>>       
>>>>> What are your thoughts on whether email accounts should be separate
>>>>> from normal network accounts? Pros? Cons? Should companies just not
>>>>> allow external access to email via POP or IMAP and just require
>>>>> Webmail access so users have to manually enter passwords? Does that
>>>>> solve the real problem? I'm interested in hearing what everyone has to
>>>>> say.
>>>>>     
>>>>>         
>>>> I'm going to add here the opinion that if your network security relies
>>>> on the security of non-admin user passwords, you've already got
>>>> problems.  Likewise if your admins pick insecure passwords or write them
>>>> down in sticky notes.
>>>>
>>>> Kevin
>>>>
>>>>
>>>> _______________________________________________
>>>> General mailing list
>>>> General at brlug.net
>>>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>>>
>>>>   
>>>>       
>>
>>   
>>> _______________________________________________
>>> General mailing list
>>> General at brlug.net
>>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>>     
>>
>>
>> _______________________________________________
>> General mailing list
>> General at brlug.net
>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>   


> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net

More information about the General mailing list