[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Email passwords are.. special?

To: Brad Knowles <brad@shub-internet.org>
Subject: Re: [SAGE] Email passwords are.. special?
From: "Michael T. Halligan" <michael@halligan.org>
Date: Thu, 15 Feb 2007 23:27:52 -0800
Cc: "Michael T. Halligan" <michael@halligan.org>, "Dustin Puryear" <dustin@puryear-it.com>, sage-members@sage.org
In-Reply-To: <p06240506c1f98bdfca96@[10.0.1.102]>
References: <329528150.20070214101136@puryear-it.com> <p06240506c1f98bdfca96@[10.0.1.102]>
Sender: owner-sage-members@usenix.org

Brad,

How did you handle this at AOL?

On Feb 14, 2007, at 8:03 PM, Brad Knowles wrote:

> At 10:11 AM -0600 2/14/07, Dustin Puryear wrote:
>
>>  Now, let's assume that the communication channel is encrypted with
>>  SSL. That should just be a given.
>
> Unless you can guarantee that SSLv2 and earlier cannot possibly be  
> used, then even using SSL is not secure -- MITM attacks can still  
> be performed.
>
>>                                     But we still have the issue of
>>  people having passwords stored on their phones, laptops, home
>>  computers, etc., for their email. I know I've had several phones  
>> lost
>>  in the past few years. None had my network information, but that  
>> could
>>  have been there.
>
> As Mark Bergman pointed out, don't forget about the web browsers  
> that have been configured to auto-remember all passwords.  Or any  
> other kind of situation where one of your users might use an  
> external computer belonging to a different person or organization  
> -- with possible keyloggers, etc....
>
>>  What are your thoughts on whether email accounts should be separate
>>  from normal network accounts? Pros? Cons? Should companies just not
>>  allow external access to email via POP or IMAP and just require
>>  Webmail access so users have to manually enter passwords? Does that
>>  solve the real problem? I'm interested in hearing what everyone  
>> has to
>>  say.
>
> If your management really cares about this sort of thing but you  
> still have to provide external access, then use a two-factor  
> authentication system such as SecurID, or somesuch.  But then you  
> have to deal with the problem of what happens when someone loses  
> their token/calculator, or the battery dies, or whatever.
>
>
> If your management doesn't care that much, then you could make one  
> set of passwords for e-mail only, but you could just as easily  
> ensure that no one can get into any kind of shell account from the  
> outside, so that loss of a password would just give someone else  
> access to e-mail for that account (although that does have certain  
> risks).
>
> Either way, you should make sure you have processes in place to  
> handle rapidly changing all potentially affected passwords if need  
> be.  And you will need IDS systems to make sure that the same  
> account isn't logging in simultaneously from different places, or  
> is used in one place at Time-A, and used in a radically different  
> place at Time-A+epsilon, for sufficiently small epsilon.
>
>
> If your management was really paranoid, you wouldn't be allowed to  
> provide any kind of external access at all, and therefore this  
> wouldn't be a problem.
>
> -- 
> Brad Knowles <brad@shub-internet.org>, Consultant & Author
> LinkedIn Profile: <http://tinyurl.com/y8kpxu>
> Slides from Invited Talks: <http://tinyurl.com/tj6q4>

Follow-Ups:
- Re: [SAGE] Email passwords are.. special?
  - From: Brad Knowles <brad@shub-internet.org>

References:
- [SAGE] Email passwords are.. special?
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] Email passwords are.. special?
  - From: Brad Knowles <brad@shub-internet.org>

Prev by Date: Re: [SAGE] is anyone a postmaster at Yahoo?
Next by Date: Re: [SAGE] Email passwords are.. special?
Prev by thread: Re: [SAGE] Email passwords are.. special?
Next by thread: Re: [SAGE] Email passwords are.. special?
Index(es):
- Date
- Thread