University Web Developers

University Web Developers

Hi everyone,
I came across something that startled me today and was wondering what other people's thoughts are on the subject.

I was browsing eduStyle.net and decided to sign up with an account. So, I registered and when I received my 'welcome' email, I was startled to find out that they had included my password I had chosen for the account right there in plain text!!!

Here at the school where I work, we have a policy in our IT department to never give out passwords via email because of the insecure nature of email.

So, I'm just curious, does this bother anyone else when it happens? Or am I being too dramatic?

Views: 24

Reply to This

Replies to This Discussion

I think the challenge only comes with the access that said password gives you.

With that password, can someone get access to nonpublic personal information about you in eduStyle? (E.g. does the system contain account numbers someone else can use to get membership or buy stuff off Amazon?)

If the only access is to internal members-only on the eduStyle.net site, then the only person in trouble is eduStyle.net, where other people can access their members-only content. In this case, eduStyle.net has probably come to the determination that it is better to give passwords by e-mail than to have a human being involved in hundreds of "I forgot my password" transactions.

Of course, I'm sure this doesn't apply to us Web professionals who memorize dozens of passwords and change them monthly, but mere mortals are more apt to share passwords between accounts. This is one more example of why that is a bad idea, as most people who receive passwords plain-text by e-mail would expose more than just the account that sent the plain-text password.

-Steve
I'm with Steve.
I'll be the loner and disagree with both Steve and Susan. *IF* everyone followed good security practices and chose a different user name and password for everything they signed up for, *THEN* I would agree with Steve in that including the password in the email isnt that big of a deal because the information an attacker could gain from eduStyle isnt that great. But, how many people do you know use the same password for EVERYTHING they sign up for? Or they use the same base password and then attach a number to it?

In this day and age, including a user's password in an unprotected format is unacceptable. It simply leaves too big of an opportunity for an attacker to gain access to that user's information, or to the resources that user has access to.

As an example, I recently discovered an open Foxpro database on a fellow higher ed website. This specific database contained user names and unencrypted passwords. Now, the application the database was connected to did not contain any information that would be considered damaging if leaked out. However, as it turned out, many of the user's who had signed up had used the EXACT same user name and password as their university user name and password. Considering this database was open to the internet, anyone else who stumbled upon this information (and it was not hard to find) had immediate access to all university resources these users did, including their personal information.

*NOTE* - yes, I immediately contacted both the developer and the IT department of my find and warned them of the potential damage.

If you sign up at a place that does send your password in plain text, then make sure you have used a user name and password that you have not used anywhere else.
Ok. I recant. :-)
You've brought up great points.
I figured I should pipe up here. My original thinking was that because I don't collect any sensitive data that the potential harm was very low but it might make it easier for people to keep track of the password on yet another site. I think you guys have the reality right and most probably avoid having to remember yet another password by simply using the same one over and over and over again. So although I'm not exposing them to a lot of risk directly, the indirect risk of someone getting access to another site with more sensitive data is pretty high. As a result I have changed the system today so now the welcome email only includes their username and a link directing them to the password retrieval system if they ever need to recover their password. I think this is a definite improvement. Too bad you didn't join eduStyle sooner or I could have fixed this a long time ago ;) Anyway, I really do appreciate the discussion so thanks for raising it Barb.

Stewart from eduStyle
Just saw this article posted at PHYSORG.com and thought it was relevant to the topic:

Most computer users repeat passwords, at their peril

Using the same password for multiple Web pages is the Internet-era equivalent of having the same key for your home, car and bank safe-deposit box.

Even though a universal password is like gold for cyber crooks because they can use it to steal all of a person's sensitive data at once, nearly half the Internet users queried in a new survey said they use just one password for all their online accounts.

Many users repeat passwords so they don't forget them, which shows in another finding that 70 percent of survey respondents in the U.K. said they don't write down their passwords, versus 49 percent in the U.S.

Only seven percent of the respondents said they change their passwords often, use password management software or use a fingerprint reader to access their machines and accounts.

The survey looked at people who used a computer at home, have high-speed Internet access and go online at least twice a week for something other than checking e-mail. The respondents were selected at random and questioned over the telephone. The mean age was 46.

The survey's margin of error was plus or minus 3.5 percent for the total sample and plus or minus 4.9 percent for U.S. and U.K. samples.

RSS

Elsewhere

Latest Activity

Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Even though GDPR has been in effect for over a year, many U.S. colleges and universities are still struggling with how best to implement the rules. We’re here to help. http://bit.ly/2YZZtRQ"
yesterday
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Does your college or university website meet the new WCAG 2.1 accessibility standards? http://bit.ly/2JBXD3s"
Jul 12
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Eric Turner from Mt. San Antonio College, who will share easy steps to make your website GDPR compliant. http://bit.ly/2zhdcIt"
Jul 10
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"It is always important to make a good first impression! Join Aaron Blau from Converge Consulting as he covers ways to make your web content attractive to your target audience and create an authentic brand message. http://bit.ly/2zhdcIt"
Jun 19
Jon Shaw posted a discussion

email obfuscation

Anyone using a javascript or php email obfuscation library that is effective for spam defense?See More
Jun 11
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Kelly Bostick from University of Arkansas who will provide some great tips on ways to ensure that all of your digital content is accessible. http://bit.ly/2zhdcIt"
Jun 6
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Creating and producing website content is just the tip of the iceberg. In our latest white paper, learn how to manage that content to help your website reach its fullest marketing and recruiting potential. http://bit.ly/30WJ0PW"
May 30
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A college or university website redesign is the most effective and cost-efficient way to attract and recruit new students. Download our ultimate guide to get started on your redesign today! http://bit.ly/30MmcSQ"
May 28
Cody Bryant is now a member of University Web Developers
May 20
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Rachael Frank from Gravity Switch to learn how to organize your content and messaging for a website redesign. http://bit.ly/2zhdcIt"
May 16
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Capitalize on content by creating an editorial calendar for your college or university website. Here’s how: http://bit.ly/2WCauaY"
May 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A soft launch of your website redesign is well worth the extra time. Find out why. http://bit.ly/2LfeigX"
May 2
Linda Faciana posted a blog post

Webcast - Website Redesign | The importance of using content inventories

Join us for our next webcast with Laura Lehman from Eastern Mennonite University to learn how to effectively use Google Sheets during a website redesign and migration! http://bit.ly/2zhdcItSee More
May 1
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"What are characteristics of the best CMS for colleges and universities? Read our guide to find out: http://bit.ly/2Vt519j"
Apr 24
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Caroline Roberts from iFactory who will be providing tips on how to improve your SEO by finding and wisely using the keywords and phrases that matter most! http://bit.ly/2zhdcIt"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"If your college website is not reaching your audience, but still meets most technical and accessibility requirements, there are a number of ways to fine-tune its performance. http://bit.ly/2KO08U8"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Before you click the launch button on your newly redesigned website, it pays to doublecheck the details: http://bit.ly/2D9v5vr"
Apr 11
Laurie Trow replied to Jessie Groll's discussion Thoughts on "part-time work from home" for a web developer?
"I do work from home a few days a week. Depending where you're located, this would definitely be a perk. I've found plenty of higher ed jobs, but it's not often where working from home is an option. I find this odd since the higher ed…"
Apr 4
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Take a look at these award-winning higher ed digital marketing campaigns to see what’s working for them – and what you can implement to make your school’s digital marketing campaign one of the best. http://bit.ly/2JlzLiq"
Apr 3
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Do you have a plan in place to ensure your redesigned website is a success? Read our new white paper for the steps needed to successfully launch your website so that it is effective, informative, and gets noticed. http://bit.ly/2HZt73Z"
Mar 29

UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic

About

© 2019   Created by Mark Greenfield.   Powered by

Badges  |  Report an Issue  |  Terms of Service