[unisog] secure authentication

PaulFM paulfm at me.umn.edu
Fri May 27 01:12:36 GMT 2005

When I set up my first mail-server, this was one of the things we did.  It 
wasn't as much for user security - as it was for professional looking e-mail 
addresses (we used Lastname.{FI}{MI}.@ for the addresses - I believe the 
company is still using that format).  Anyway, we did not allow user names to 
be used as e-mail addresses (also cut down spam).

Russell Fulton wrote:

> On Thu, 2005-05-26 at 15:12 -0400, Michael Davis wrote:
>>Hello all,
>>We're looking into ways of making user credentials more 
>>secure.  One topic that came up is that your 
>>loginID/username is part of your email.  Does anyone keep 
>>them seperate.  We have aliases for email but people can 
>>also send to uid at temple.edu. I'm curious to see if others 
>>are keeping them seperate and more anonymous to others.
> I have an on going argument about this with my manager (Hi Steve ;)
> In fact Steve and I reach the same position from opposite directions he
> starts from the premise that login names *are* part of user creds but
> that the cost of protecting them in any absolute sense is such that it
> out weighs the benefit so we take simple measure not to advertise
> logins.  I start from the premise that login are essentially public
> information but recognise that possession of it by an attacker gives
> them a small advantage so where we can take simple measures to prevent
> advertising the data we should do so.
> For staff we use aliases which are not the same as login credentials.
> The aliases are translated by our central mail system to mailbox at server
> (we also do the reverse translation on the way out) and in many cases
> mailbox *is* the person's login.  One consequence of this is that
> sometimes if mail bounces (eg from over quota) it will contain the
> translated login name.
> Is this a problem?  As Michael Holstein says, only if you believe that
> the login name is part of the security credentials.  Unfortunately this
> view has become wide spread in the community and large amounts of time
> and money are expended to try and hide login names.  Also your auditors
> will add it as a risk in their reports.
> For student we use login at ec.auckland.ac.nz since the administrative
> overhead of maintaining 30,000 unique aliases is just too high.
> To the original question should user names and email addresses be the
> same I would say "If you can do it easily and cheaply then by go for
> it".  Having them different means that you are not *actively*
> advertising your login names but don't get sucked into the business of
> trying to keep them really secret.
> Russell.
> ------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list