- Jamf Nation Community
- Products
- Jamf Pro
- OT - Storage of Userl Passwords by Vendors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 04:52 PM
I just encountered something that raises a high degree of alarm with me.
I found that a client's mail hosting company captures and stores user passwords. They claim to do so for the sake of troubleshooting user accounts.
Is this common? This vendor talks as though this is a non-issue and not a big deal. I'm wanting to make the case to the powers that be that this is a huge security issue. But before I wind up with egg on my face I want to hit up some of you for a reality check.
It it unreasonable for me to be so alarmed over this?
Thank you.
Solved! Go to Solution.
3 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 05:44 PM
It's reasonable to be mad at them @gskibum.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 06:36 PM
I remember years ago we ran Eudora Mail Server. My manager used to drag a clipping from a file (forget which) to the desktop of the OS 9 server, and there he had all users' passwords.
This got him fired. Just sayin'.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2016 05:43 AM
I'd request mailbox access logs tied back to IP address to ensure that nobody there accessed your data, have your lawyers issue a C&D else they'll consider contacting law enforcement to see about potential criminal action (Computer Fraud and Abuse Act comes to mind), and promptly spin everyone's passwords.
If that doesn't sufficiently scare the ever loving shit out of them, change providers promptly.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 05:44 PM
It's reasonable to be mad at them @gskibum.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 06:36 PM
I remember years ago we ran Eudora Mail Server. My manager used to drag a clipping from a file (forget which) to the desktop of the OS 9 server, and there he had all users' passwords.
This got him fired. Just sayin'.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-08-2016 08:44 PM
Yeah I'm miffed. I spent almost a full day doing troubleshooting they should have been doing themselves. Then I came to realize that they have captured & stored everyone's passwords! Tomorrow is going to be entertaining to say the least.
They were probably assuming I'm some dumb Mac guy. Or should I say dumb MAC guy. ;-)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2016 05:43 AM
I'd request mailbox access logs tied back to IP address to ensure that nobody there accessed your data, have your lawyers issue a C&D else they'll consider contacting law enforcement to see about potential criminal action (Computer Fraud and Abuse Act comes to mind), and promptly spin everyone's passwords.
If that doesn't sufficiently scare the ever loving shit out of them, change providers promptly.
