[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Plaintext passwords IMAP please!

I think that disabling plain text password authentication by default is
a good move for SuSE.  If you're still using plain text passwords then
something is wrong.  There are very few email clients that don't support
SSL these days.  Things like telnet and ftp are obsolete (or should be)
due to SSH and SFTP.  Even cisco ships their IOS with ssh authentication
now days.  The fact of the matter is that over half of security breaches
are from internal sources, so having a "firewall" isn't the end of
security.  If you believe that the data you're securing isn't important
enough to need secure password authentication then perhaps that's
acceptable to your company.  To have decent security in place requires a
layered security approach, meaning that you have more than one piece to
secure everything.  Setting up SSL is really not that hard, and using it
on the clients usually only requires you to check a box.  I would
strongly suggest that you invest the time to use SSL for your email
authentication, but obviously the end decision is based on the cost
difference between doing that versus the risk of losing your data.  The
paranoia that SuSE is displaying here is simply derived from basic
modern security principals.  

On Wed, 2004-01-14 at 08:07, Peter Hinterseer wrote:
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.

David M. Fetter - http://www.fetterconsulting.com/
"The world is full of power and energy and a person can go far by just
skimming off a tiny bit of it." Neal Stephenson - Snow Crash

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here