Mailinglist Archive: opensuse-security (570 mails)
| < Previous | Next > |
Re: [suse-security] Plaintext passwords IMAP please!
- From: David Fetter <david.fetter@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Jan 2004 08:27:05 -0800
- Message-id: <1074097624.15144.19.camel@xxxxxxxxxxxxxxxxx>
I think that disabling plain text password authentication by default is
a good move for SuSE. If you're still using plain text passwords then
something is wrong. There are very few email clients that don't support
SSL these days. Things like telnet and ftp are obsolete (or should be)
due to SSH and SFTP. Even cisco ships their IOS with ssh authentication
now days. The fact of the matter is that over half of security breaches
are from internal sources, so having a "firewall" isn't the end of
security. If you believe that the data you're securing isn't important
enough to need secure password authentication then perhaps that's
acceptable to your company. To have decent security in place requires a
layered security approach, meaning that you have more than one piece to
secure everything. Setting up SSL is really not that hard, and using it
on the clients usually only requires you to check a box. I would
strongly suggest that you invest the time to use SSL for your email
authentication, but obviously the end decision is based on the cost
difference between doing that versus the risk of losing your data. The
paranoia that SuSE is displaying here is simply derived from basic
modern security principals.
On Wed, 2004-01-14 at 08:07, Peter Hinterseer wrote:
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.
>
--
David M. Fetter - http://www.fetterconsulting.com/
"The world is full of power and energy and a person can go far by just
skimming off a tiny bit of it." Neal Stephenson - Snow Crash
a good move for SuSE. If you're still using plain text passwords then
something is wrong. There are very few email clients that don't support
SSL these days. Things like telnet and ftp are obsolete (or should be)
due to SSH and SFTP. Even cisco ships their IOS with ssh authentication
now days. The fact of the matter is that over half of security breaches
are from internal sources, so having a "firewall" isn't the end of
security. If you believe that the data you're securing isn't important
enough to need secure password authentication then perhaps that's
acceptable to your company. To have decent security in place requires a
layered security approach, meaning that you have more than one piece to
secure everything. Setting up SSL is really not that hard, and using it
on the clients usually only requires you to check a box. I would
strongly suggest that you invest the time to use SSL for your email
authentication, but obviously the end decision is based on the cost
difference between doing that versus the risk of losing your data. The
paranoia that SuSE is displaying here is simply derived from basic
modern security principals.
On Wed, 2004-01-14 at 08:07, Peter Hinterseer wrote:
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.
>
--
David M. Fetter - http://www.fetterconsulting.com/
"The world is full of power and energy and a person can go far by just
skimming off a tiny bit of it." Neal Stephenson - Snow Crash
| < Previous | Next > |