The School of Arts and Sciences Computing office will require all mail.sas users to have a more secure password if they do not access their e-mail via direct Webmail as of tomorrow.
This move is part of a larger scale, university-wide effort called the Critical Host Security Policy, which seeks to ensure the continued information security of PennNet systems users.
The main security threat with current SAS Webmail passwords is that they are unencrypted, or clear. When an unencrypted password is used on the SAS Webmail network, it is vulnerable to possible interception by a third party.
According to the SAS Computing Web site, with an unencrypted password, "Some unscrupulous individual could 'listen in' on your session over the network and easily determine your password, which they could use to access your account."
Students whose e-mails are forwarded to another account from Webmail do not have to worry about handling password encryption. Those who access SAS Webmail directly are also not required to take any measures.
Students who use the Windows mail systems Eudora, Netscape Messenger and Outlook, or Mac clients Eudora, Entourage, Apple Mail, Netscape and Outlook Express are subject to individual requirements depending on the type and version of their products.
The specified actions for each type can be found on the SAS Computing Web site.
There are two protocols used to encrypt a SAS password, and the appropriate choice depends on the e-mail client.
Secure Sockets Layer and Kerberos are two such protocols. SSL encrypts all data between client and server. Kerberos ensures that a user's password is never actually transmitted across the network. Both greatly reduce the risk that a hacker can access e-mail passwords.
According to Builder.com, an information technology online news source, "There's no absolutely safe place in which critical data like a password can be stored."
"Under normal conditions, having the password stored as plain text [as opposed to encrypted] is not a problem. However, if a critical attack occurs, your password will be there, ready to be stolen."
RSA Security, an IT security company, sells encryption kits which include SSL protocol components. The company's Web site promises that SSL delivers "protection against eavesdropping, tampering and forgery."
SSL "provides a secure communications channel between two points -- server authentication and client authentication," the site says.
For increased e-mail information security, SAS Computing urges students to be aware of e-mail schemes and forged e-mails, to change passwords frequently and to avoid using e-mail for confidential matters.
