[unisog] secure authentication

Russell Fulton r.fulton at auckland.ac.nz
Fri May 27 00:22:19 GMT 2005


On Thu, 2005-05-26 at 15:12 -0400, Michael Davis wrote:
> Hello all,
> We're looking into ways of making user credentials more 
> secure.  One topic that came up is that your 
> loginID/username is part of your email.  Does anyone keep 
> them seperate.  We have aliases for email but people can 
> also send to uid at temple.edu. I'm curious to see if others 
> are keeping them seperate and more anonymous to others.

I have an on going argument about this with my manager (Hi Steve ;)
In fact Steve and I reach the same position from opposite directions he
starts from the premise that login names *are* part of user creds but
that the cost of protecting them in any absolute sense is such that it
out weighs the benefit so we take simple measure not to advertise
logins.  I start from the premise that login are essentially public
information but recognise that possession of it by an attacker gives
them a small advantage so where we can take simple measures to prevent
advertising the data we should do so.

For staff we use aliases which are not the same as login credentials.
The aliases are translated by our central mail system to mailbox at server
(we also do the reverse translation on the way out) and in many cases
mailbox *is* the person's login.  One consequence of this is that
sometimes if mail bounces (eg from over quota) it will contain the
translated login name.

Is this a problem?  As Michael Holstein says, only if you believe that
the login name is part of the security credentials.  Unfortunately this
view has become wide spread in the community and large amounts of time
and money are expended to try and hide login names.  Also your auditors
will add it as a risk in their reports.

For student we use login at ec.auckland.ac.nz since the administrative
overhead of maintaining 30,000 unique aliases is just too high.

To the original question should user names and email addresses be the
same I would say "If you can do it easily and cheaply then by go for
it".  Having them different means that you are not *actively*
advertising your login names but don't get sucked into the business of
trying to keep them really secret.

Russell.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050527/43d82c47/smime.bin


More information about the unisog mailing list