Re: [Nolug] Email passwords are.. special?

From: Joey Kelly <joey_at_joeykelly.net>
Date: Wed, 14 Feb 2007 13:24:03 -0600
Message-ID: <1c0063340702141124v64a24926ndb922a3b70333fab@mail.gmail.com>

On 2/14/07, Dustin Puryear <dustin@puryear-it.com> wrote:
> So, there is always this conflict over whether accounts for email
> (POP3, IMAP) should be tied to your normal account. In most
> situations, companies are trying to consolidate accounts. And
> companies with directories (be it LDAP or AD) definitely see this
> trend continuing. Yet, there is the risk that a compromised email
> password will then compromise the network.

<snip>

This issue scares me, no doubt. Personally I keep a separate username
for all my shell work, and at times I've tried to force clued users on
my boxen to use a reduced-privilege account for their plain-text
transfers, but found that it rarely gets enforced. I use POP3, by the
way, and occasionally have need of FTP for my clients.

Single-sign-on is great, I can really see how that can make life much
easier in the enterprise, but like I said, that scares me. You can
trumpet SSL all you want, but when you add Windows boxen to the mix,
all bets are off IMHO when it comes to security. If you keep
everything behind firewalls, I'm not as concerned, but the moment you
have people typing their LAN password into a form on a public website,
I get very nervous.

-- 
Joey Kelly
< Minister of the Gospel | Linux Consultant >
http://joeykelly.net
(sent via gmail.com, no GPG signature)
___________________
Nolug mailing list
nolug@nolug.org
Received on 02/14/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST