|
Comment on this article |
Email this Article
|
|
News :: Education : Government Secrecy |
|
New University Password to Massively Compromise Campus Computer Security |
Current rating: 3 |
by ML
(No verified email address) |
16 Mar 2004
Modified: 03:33:54 PM |
|
Ironically, the newly required "Enterprise" ID system to be used for Fall class registration at the UI will lead to more security comprimises than it will ever solve. |
First, let's start with a letter to the editor of the Daily Illini of mine that they refused to publish last fall. Apparently, the DI values the income generated by selling full-page ads, like the one in today's (16 March 2004, page A5) DI reminding students they needd another new password, far more than they do acting in the best interests of students. The DI could investigate whether than is any substantial reason for yet another password sustem at the University. Since there have been no explanations offered for why there exists a need for the "Enterprise" password, this issue crys out for a good piece of investigative journalism to get to the bottom of this mystery. Apparently, the DI prefers to play at being the stenographer to power, merely reprinting University press releases without digging for the truth, while it rakes in ad revenue for adminstrative propaganda.
Password Proliferation Madness
To the editor,
Friday’s (26 September) DI carried a story on this year’s financial aid fiasco, suggesting that students log onto OSFA’s website to check their accounts and help OSFA straighten out the current billing mess. That would be a good idea, except you’ll end up having to get yet ANOTHER password to do so.
I already have four passwords on-campus and the computer gods have so far been kind enough to let me divide them into two pairs, each with the same password, so I only have to effectively have two passwords. But, NO! OSFA’s server doesn’t think either of those passwords is good enough; I have to get yet another special ENTERPRISE password to use their website.
Guess what? It ain’t gonna happen. I’ll wait until the University can send me a paper bill (if they ever manage to do so) and I’ll be damned if I pay a late fee if it doesn’t arrive giving me a reasonable period of time to pay it.
Most computer password screens (except for Bluestem applications) on this campus, give you a generic security screen that doesn’t tell you WHICH password you need to use. So, if I get a third (or fifth, really) password, I may use up, if I type any of the three incorrectly, all my guesses before I get into the system. After three guesses, you’re locked out – time to see the admin. Besides, with only two passwords, it’s either one or the other. Now I know there will be some admin type who’ll say I should be able to figure out which is which, but why should I? No good reason other than petty turf wars in Administration.
I have to ask why OSFA’s new computer system (which isn’t working too well anyway) has to have its own special password? This is contrary to what I remember hearing through the grapevine from the CITES password committee, which is that the university should prevent password proliferation as being confusing, taking up inordinate amounts of Help Desk staff time, and, most of all, resulting in more security problems than it solves because multiple passwords leads people to WRITE THEM DOWN to keep them all straight, resulting in a much greater chance of password compromise.
I don’t always agree with the Governor’s benign neglect of the university, but he is right about one thing – there are way too many administrators wasting the public’s time and money when they have the time to fight turf wars over passwords, instead of using what already works. It’s time to take OSFA’s secure server and put it behind the recognizable and near-universal Bluestem password system. And if this is a taste of what’s coming with the rest of Banner, let’s get this password confusion fixed before the frustration level goes up any further. There is no rational reason not to.
ML
Graduate Student
Department of History
That said, I will note here my conversation with a person at the Financial Aid office about this problem. I mentioned that I was there in person because I was not going to be bothered with getting a fifth campus password. I asked what she did about the problem. "Oh, I have all my passwords written down right here," she said, as she pointed to a notebook lying on the counter in front of her. I wished her luck if she ever lost her notebook or, worse, had it stolen by someone intent on exploiting access to her University accounts. The point I made in the letter that was apparently too hot for the DI to handle was proven. There are already too MANY passwords on campus. Adding another is far more likely to result in security compromises because people are forced to write down their multiple passwords, along with the systems they are for, just to keep them straight. What is worse, there will also be a tendency to write all the passwords down together, leading to the total compomise of ALL a student's accounts if they are lost or stolen.
The amazing thing to me is that all this has happened despite the fact that there is a committee in CITES that was set up precisely to deal with the security problems caused by passwords, including the needless proliferation of multiple passwords. Either their findings are being ignored or the reasonable urgings by them to stem the stupidity of pointless proliferation of passwords are a lower priority than some adminstrator's turf.
Now we find out that ALL students will be required to get the "Enterprise" password in order to register for fall classes. In spite of the fact that my Bluestem password is currenly good enough to register for classes, get drugs from McKinley, check my pay and change my bank account info, do coursework, check the coursework of my students, build tests, and grade them, and order books from libraries across the country...my Bluestem password, reliable as rain in the spring and user-friendly, is just not good enough according to the whim of some administrator who thinks his/her system needs its own _SPECIAL_ "Enterprise" password. All of the above listed activities have far more occassion for invading my privacy or financially impacting me and, thus, potentially causing me a security problem, but all of them can be done effectively and seamlessly under Bluestem. Again, I ask, what's a reasonable or rational justification for "Enterprise"? There is none.
This is most remarkable, on a campus devoted to the use of rational thought and inquiry to solve the problems of humankind, THERE HAS BEEN _NO_ REASON OR EXPLANATION OFFERED AS TO WHY THERE IS ANY NEED FOR YET ANOTHER PASSWORD. Given the security compromises that most students will be forced into by this senseless password proliferation, the reason certainly can NOT be that this effort will result in an increase in the security of the systems that the "Enterprise" password will be needed for.
So the security of ALL student accounts will inevitably be LESS with the introduction of the redundant "Enterprise" password system. Yet, somewhere there is an adminstrator who has increased his/her turf at the expense of the need for yet more staff to maintain this separate, completely redundant "security" system, more time for the CITES Help Desk to spend straightening out the password problems of students, and more frustration and delays for students doing their work. All of it will be at greater costs, in a time when EVERY penny counts for the University due to reduced funding from the State.
It's clear that there are still far too many administartors on this campus being promoted into their particular level of incompetence.
And it's also clear that there will be less security in the University's computer systems, NOT more, for students as they inevitably write their many passwords down in places subject to compromise. |
