You're assuming someone would be able to hack out an email password from a stolen device. I doubt many devices actually store the passwords in an easy-to-access cleartext sort of way. Usually this will require a brute-force attempt on the device, which would be extremely difficult given the nature of getting data out of a cell phone, for example.
We host email for users that use mobile devices. These devices use specialized software to push the email to them. With the software we use (NotifyLink), the device doesn't even know the true email password of the user. That information is stored on an intermediate server that sits between the real mail server and the user's device to push out that information. I'm pretty sure that the Blackberry Enterprise Server does something similar. I know that the basic Blackberry services that the cell phone providers offer do the same as well. Even if it is possible to somehow crack those passwords, given enough time, it would also be assumed that the user will notice that he's had a theft, and have been able to change his password as well. This is where it's advantageous to use a single sign-on for all his services. That way he's got a single password to have to change and most likely has an easy way to either do it himself or get administrative assistance in doing it. If we're using separate passwords for email and other services, then the user may not even realize that fact. If he gets an email device stolen, he may change his password for 'other' services, not knowing that his email is still getting to the device. The thief then can potentially read that user's email, or masquerade as him and cause all kinds of damage. In the case of a VPN client, it's within the policies of many VPN clients to not save passwords, and require the user to enter passwords for every login. Considering the above, my vote is for a single, well protected, easy to change password for all of a user's activities. This keeps things very simple and makes it possible to enforce password complexity. It's a lot easier for a user to remember one complex password than many. In the event his secret password does get compromised, it's a one-step task to change it. I've had a lot of success hosting accounts in Active Directory, and then using LDAP mechanisms to authenticate against it across several platforms. AD makes it easy for semi-technical people to manage accounts, and it's a predictable schema for building LDAP-aware applications to authenticate against. -Tim Dustin Puryear wrote: > Agreed. How often do people tie their VPN into, for example, AD or > LDAP? And how many people tie their email credentials to, for example, > AD or LDAP? So if I get your email credentials from your lost > cellphone or PDA, then I have your VPN credentials.. > > This really has nothing to do with admins. > > --- > Puryear Information Technology, LLC > Baton Rouge, LA * 225-706-8414 > http://www.puryear-it.com > > Author: > "Best Practices for Managing Linux and UNIX Servers" > "Spam Fighting and Email Security in the 21st Century" > > Download your free copies: > http://www.puryear-it.com/publications.htm > > > Wednesday, February 14, 2007, 6:40:32 PM, you wrote: > > >> The admin isn't the only user that has valuable information. I don't >> think we are talking only about network security, but data security as well. >> > > >> --mat >> > > >> Kevin Kreamer wrote: >> >>> Dustin Puryear wrote: >>> >>> >>>> What are your thoughts on whether email accounts should be separate >>>> from normal network accounts? Pros? Cons? Should companies just not >>>> allow external access to email via POP or IMAP and just require >>>> Webmail access so users have to manually enter passwords? Does that >>>> solve the real problem? I'm interested in hearing what everyone has to >>>> say. >>>> >>>> >>> I'm going to add here the opinion that if your network security relies >>> on the security of non-admin user passwords, you've already got >>> problems. Likewise if your admins pick insecure passwords or write them >>> down in sticky notes. >>> >>> Kevin >>> >>> >>> _______________________________________________ >>> General mailing list >>> General at brlug.net >>> http://mail.brlug.net/mailman/listinfo/general_brlug.net >>> >>> >>> > > >> _______________________________________________ >> General mailing list >> General at brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> > > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net >
