We've lost the password battle
October 9, 2008
It's been an article of faith, frequently professed to users, that they should never write down their password or otherwise record it. Your users probably profess to follow this, and may even honestly believe that they are.
But find a user with a machine that recently rebooted (this often doesn't take long) and watch what happens next, as the user re-establishes their environment and restarts their applications. Did they get asked for a password when their IMAP-based mail program started, or is it happily fetching mail? How about their CIFS-based shares, did they get asked for that password when they started talking to your Samba server?
Do you use separate user passwords for each of those services?
Almost certainly not. (At least around here, the users would likely lynch us for trying that. And it wouldn't really matter if we used a separate password for these services than for people's Unix login; the net effect would be to make even fewer people log in to our Unix servers, with no decrease in an attacker's ability to do damage.)
If you are lucky, your users have some sort of master password that unlocks their machine. If you are really lucky, all of their applications are using a single secure password store, instead of putting together various ad-hoc solutions to the problem (or just storing passwords in barely encrypted form and ignoring the issue).
(By the way, try not to think too much about the effects of having your webmail system. You'll sleep better.)
Comments on this page:
Written on 09 October 2008.
* * *
Atom feeds are available; see the bottom of most pages.