Re: Unencrypted password security question. at a major university

From: Kent Smith (ksmith@ipsoinc.com)
Date: 04/08/03 

From: Kent Smith <ksmith@ipsoinc.com>
Date: Mon, 07 Apr 2003 22:42:07 GMT

On 7 Apr 2003 13:18:03 -0700, ryantemp@velophile.com (Ryan) wrote:

>We have several different accounts around campus for different
>reasons, email, class registration, an online class meeting forum, and
>a few others. In the different accounts, we can view all of our
>personal info, SSN, name, address, grades, etc. We use the same user
>name and password for all of these. All the login pages are via the
>web, they are all secure (security lock in mozilla, etc.), except for
>one. One, for a minor forum, we submit our log and pass unencrypted
>across the web.

>Security certainly is not my forte but this seems very dangerous to me
>and I'm just looking for some conformation that this is indeed a bad
>situation and something I should keep kicking at these people with
>till it gets fixed.

Ryan:

It is bad, but not as bad as you think it is. Yes, the userid and
password are sent in cleartext across the network, but the network is
almost certainly segmented, and may even be fully switched. This
means that it would not be easy for someone to snoop your traffic
unless (1) they were on the same subnet as you were when you were
sending this unencrypted data, (2) were running a packet sniffer, and
(3) the concentrator into which your PC is plugged was a non-switching
one.

Although this is possible, it does limit the chances somewhat.

Bottom line is that if all the other sites are secure, that one should
be also, so yeah, I'd keep harassing them. Sooner or later they will
tighten it up, either because they agree with you or because they
don't want to hear from you anymore.

--Kent

=================================
Kent Smith * IPSO Incorporated
Business * Technology * Solutions
Financial Services and Accounting Systems Consulting

http://www.ipsoinc.com