[unisog] secure authentication

PaulFM paulfm at me.umn.edu
Fri May 27 01:12:36 GMT 2005


When I set up my first mail-server, this was one of the things we did.  It 
wasn't as much for user security - as it was for professional looking e-mail 
addresses (we used Lastname.{FI}{MI}.@ for the addresses - I believe the 
company is still using that format).  Anyway, we did not allow user names to 
be used as e-mail addresses (also cut down spam).



Russell Fulton wrote:

> On Thu, 2005-05-26 at 15:12 -0400, Michael Davis wrote:
> 
>>Hello all,
>>We're looking into ways of making user credentials more 
>>secure.  One topic that came up is that your 
>>loginID/username is part of your email.  Does anyone keep 
>>them seperate.  We have aliases for email but people can 
>>also send to uid at temple.edu. I'm curious to see if others 
>>are keeping them seperate and more anonymous to others.
> 
> 
> I have an on going argument about this with my manager (Hi Steve ;)
> In fact Steve and I reach the same position from opposite directions he
> starts from the premise that login names *are* part of user creds but
> that the cost of protecting them in any absolute sense is such that it
> out weighs the benefit so we take simple measure not to advertise
> logins.  I start from the premise that login are essentially public
> information but recognise that possession of it by an attacker gives
> them a small advantage so where we can take simple measures to prevent
> advertising the data we should do so.
> 
> For staff we use aliases which are not the same as login credentials.
> The aliases are translated by our central mail system to mailbox at server
> (we also do the reverse translation on the way out) and in many cases
> mailbox *is* the person's login.  One consequence of this is that
> sometimes if mail bounces (eg from over quota) it will contain the
> translated login name.
> 
> Is this a problem?  As Michael Holstein says, only if you believe that
> the login name is part of the security credentials.  Unfortunately this
> view has become wide spread in the community and large amounts of time
> and money are expended to try and hide login names.  Also your auditors
> will add it as a risk in their reports.
> 
> For student we use login at ec.auckland.ac.nz since the administrative
> overhead of maintaining 30,000 unique aliases is just too high.
> 
> To the original question should user names and email addresses be the
> same I would say "If you can do it easily and cheaply then by go for
> it".  Having them different means that you are not *actively*
> advertising your login names but don't get sucked into the business of
> trying to keep them really secret.
> 
> Russell.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list