This is a TERRIBLE idea. A mildly sophisticated user—say, someone who
knows how to plug in a printer, or use the print preview—can wreck
havoc.
There's some great security stuff at Schneier's blog:
http://www.schneier.com/blog/
On Tue, Jun 30, 2009 at 5:47 AM, Matthew Greendcartfi...@gmail.com
I have to agree with Nils on this one. I use to work at a college as
well and rules are changing and continue to as far as how things get
stored but the most important information like SS# and personal
password should never be even stored in a db without encryption. It
isn't even about identity
My 2 cents:
Matthew wrote:
website: a user management system for secure student data. Clients
are a little paranoid about passwords and user names getting out.
***
If that's the case, make sure the site has the best security.
Masking passwords or making them viewable only by printing won't
FYI md5 is totally cracked. It can be broken in a matter of seconds
these days. Try other forms of 1 way encryption. Salt heavily. If you
are really paranoid, encrypt twice in two different ways.
But a good strong atypical one way encryption should be good enough.
Even md5 should be enough if you
William's response made me think:
it might be worth seeing if you could budget a few hours from a security
specialist to
give a professional opinion. Even if your boss still regard it as just,
like, your opinion, man
it may be a angle to get a viewpoint from someone he/she will see as an
It sounds like a student comes to a customer-service type person and
asks to have their password reset, and they are handed a print-out of
the new password.
In general, I think you are right, users expect that what is printed
is what is shown on the screen. That's why lots of websites have a
link
Printing out a password is the most absurd security measure for
password protection--unless you have the power to force the user to
chew and swallow the paper sheet... ;-)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
Unless the password is printed out on a pre-sealed, 1+1 copy paper (the kind
of post-card like paper that most credit card companies use to send you the
passwords), it is totally non-secure.
- Rajesh
On Wed, Jul 1, 2009 at 4:44 AM, Oliver Reichenstein o...@mac.com wrote:
Printing out a
Totally and completely absurd.
Print? A password?
I'm laughing at the thought.
On Jun 30, 2009, at 9:47 AM, Matthew Green wrote:
Hello,
Someone I work for has a strange enhancement request which I do not
agree
with, but this person is the boss. I think in my gut, this is wrong.
I wholeheartedly agree with Joshua. His approach is ultimately best
for the users and also save lots of admin resources (cold hard
cash in client-speak)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289
I wouldn't even store plain text passwords in the DB, normally they
are md5-encrypted so nobody can read them.
They should never be shown, printed or emailed plaintext to anybody,
not even to the administrator.
If the student data need to be secure, make them secure.
Joshua is definitely right.
Hello,
Someone I work for has a strange enhancement request which I do not agree
with, but this person is the boss. I think in my gut, this is wrong.
*website: * a user management system for secure student data. Clients are a
little paranoid about passwords and user names getting out.
The system should programmatically choose a new temporary password and
should send it to the user, with a note reminding them to change it
immediately. The administrators should not have direct access to the
temporary or user-selected passwords.
Functions that the administrators are able to
13 matches
Mail list logo
