+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, RM Easymail - bad password storage policy in Technical; RM are enforcing a new password policy for schools unfortunate enough to still be using easymail. Today, they emailed all ...
  1. #1

    Join Date
    Nov 2010
    Posts
    452
    Thank Post
    59
    Thanked 69 Times in 59 Posts
    Rep Power
    34

    RM Easymail - bad password storage policy

    RM are enforcing a new password policy for schools unfortunate enough to still be using easymail. Today, they emailed all users whose passwords don't meet their minimum standard.

    That's all well and good (and sensible, given some of the passwords our users use), but how do RM know whose password doesn't meet their standard? They must either store passwords using a reversible encryption method, or be storing plaintext. I thought both were a bad idea - come on RM, it's not that hard to do it properly these days!

  2. #2

    Join Date
    Apr 2010
    Posts
    2,054
    Thank Post
    83
    Thanked 188 Times in 155 Posts
    Rep Power
    84
    It might not work like that. When I access our Google Apps for Education admin page the system lists how secure a password is with a colour, so if a user has used some of the recommended security settings in their password they will get an amber colour etc. I can then mail those users or click reset password.

  3. #3

    Join Date
    Nov 2010
    Posts
    452
    Thank Post
    59
    Thanked 69 Times in 59 Posts
    Rep Power
    34
    Quote Originally Posted by edutech4schools View Post
    It might not work like that. When I access our Google Apps for Education admin page the system lists how secure a password is with a colour, so if a user has used some of the recommended security settings in their password they will get an amber colour etc. I can then mail those users or click reset password.
    That sounds like the password is checked when it's created and a measure of it's security is stored at that point. The RM one is more like 'we have a problem with hackerz using our smtp servers. Oh, look, lots of our passwords are insecure.'. It's a fairly old system.

  4. #4

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,368
    Thank Post
    1,399
    Thanked 2,411 Times in 1,695 Posts
    Rep Power
    709
    I have two schools on easymail and am yet to receive any such email
    Has anyone else got one?
    I've just spoken to them and yes, it is indeed true

    I've spent 4 months getting everyone's emails to migrate to Office 365 but the boss hasn't yet switched it on.
    So now I am going to have to get all 55 staff member's new password
    Oh Joy
    Last edited by witch; 18th June 2014 at 01:28 PM.

  5. #5
    mpe
    mpe is online now

    Join Date
    Nov 2008
    Location
    Exeter
    Posts
    1,103
    Thank Post
    106
    Thanked 65 Times in 57 Posts
    Rep Power
    33
    Quote Originally Posted by mats View Post
    That sounds like the password is checked when it's created and a measure of it's security is stored at that point. The RM one is more like 'we have a problem with hackerz using our smtp servers. Oh, look, lots of our passwords are insecure.'. It's a fairly old system.
    The most obvious issue with the "easy"mail system is the lack of encryption on the webmail, IMAP and SMTP auth they are using.
    Ideally they should be using non CA signed certs for IMAPS(993) and SUBMISSION(587) since CA signed certs are considerably more vulnerable to undetectable MitM. (Very few apps will flag a change of cert if both are signed by a CA, even a different CA. Just about all of them will if a non CA signec ert changes for ANY reason.)

  6. #6

    Join Date
    Nov 2010
    Posts
    452
    Thank Post
    59
    Thanked 69 Times in 59 Posts
    Rep Power
    34
    Quote Originally Posted by witch View Post
    I have two schools on easymail and am yet to receive any such email
    Has anyone else got one?
    I've just spoken to them and yes, it is indeed true

    I've spent 4 months getting everyone's emails to migrate to Office 365 but the boss hasn't yet switched it on.
    So now I am going to have to get all 55 staff member's new password
    Oh Joy
    I think that you only get the email if your password is too weak - you might be lucky.

  7. #7

    Join Date
    Nov 2010
    Posts
    452
    Thank Post
    59
    Thanked 69 Times in 59 Posts
    Rep Power
    34
    @mpe - it does have the feel of an old system ready for retirement (see also smartcache) so I'm not expecting updates any time soon. Devs too busy on Neon I reckon.

  8. #8

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,368
    Thank Post
    1,399
    Thanked 2,411 Times in 1,695 Posts
    Rep Power
    709
    Quote Originally Posted by mats View Post
    I think that you only get the email if your password is too weak - you might be lucky.
    Unfortunately by their spec my password is too weak

  9. #9
    mpe
    mpe is online now

    Join Date
    Nov 2008
    Location
    Exeter
    Posts
    1,103
    Thank Post
    106
    Thanked 65 Times in 57 Posts
    Rep Power
    33
    Quote Originally Posted by witch View Post
    Unfortunately by their spec my password is too weak
    Wonder if they have ever seen xkcd: Password Strength

  10. #10
    OB1
    OB1 is online now

    OB1's Avatar
    Join Date
    Sep 2011
    Location
    Leeds
    Posts
    483
    Thank Post
    32
    Thanked 156 Times in 133 Posts
    Rep Power
    49
    Quote Originally Posted by mpe View Post
    Wonder if they have ever seen xkcd: Password Strength
    Or Bruce Schneier's take.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 13th May 2008, 02:22 PM
  2. Storage Policy
    By GoldenWonder in forum School ICT Policies
    Replies: 22
    Last Post: 20th January 2008, 07:39 PM
  3. RM Easymail
    By aliv25 in forum Windows
    Replies: 11
    Last Post: 1st October 2007, 08:15 AM
  4. RM EasyMail Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr!
    By elsiegee40 in forum Bad Experiences
    Replies: 25
    Last Post: 12th March 2007, 09:59 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •