TechTalk: The case of the public password (05-11-95)

UpDate - Vol. 14, No. 31, Page 8
May 11, 1995
TechTalk
The case of the public password

The scenario
     Alicia is in charge of a very busy department with a lot of
traffic in and out of the department's office complex. She decides she
doesn't have time to read her mail. To complicate matters, Alicia's
secretary is on leave for three months, meaning that a variety of
other people will be taking her place.
     "I need you to read my e-mail for me," Alicia tells the first
substitute. "Print out the important messages, and save the rest. My
user name is 'aam' and my password is 'bluehen8'."
     The next day, a different person is acting as her secretary. The
day after that, a third. "This is ridiculous," Alicia says, striding
into the busy outer office. "Write it down and post it on that
bookshelf next to the desk for all of you."
     Two weeks later, Alicia receives an obscene phone call. The next
afternoon, she receives another one. The next day, during a break in a
meeting across campus, she calls the voice mail system to check for
messages. The voice is shrill and urgent: "Those things you said on
our bulletin board this week could really hurt some people's feelings.
Someone in your position really should know better."
     Alicia is stunned, and leaves the meeting early to report the
phone calls to Public Safety. Alicia returns to her office, dodging
people looking at notices posted on her office wallboard, waiting for
appointments with her staff and picking up information about the
programs she administers. But, before she can escape into her private
office, Sheryl, today's replacement secretary, stops her. "It's really
none of my business," Sheryl begins. Alicia asks her to go on. "But,
some of the e-mail you received yesterday and today is, well, pretty
risque." Alicia snatches the stack of print-outs from Sheryl and
storms into her office.
     Alicia is horrified to see that some of the mail includes
quotations from messages she purportedly sent to some public
newsgroups. She slumps into her chair, ashen-faced at some of the
explicit language in the messages-not just the ones she received, but
the ones someone sent in her name.


What you should know....

* First, Alicia should not have shared her password with anyone. And
  to write it down and post it in a public place is asking for
  trouble.
* If you need your staff to assist you with processing your e-mail,
  both UNIX and MVS have ways to accomplish this without sharing your
  password. For further information, consult the tip sheets "Creating
  a Surrogate for Your EMC2 Account" and "Forwarding Your E-mail to
  Another Account." These tip sheets are available online in the WWW
  portion of U-Discover!:
     http://www.udel.edu/eileen/subject/communication/emc2/other-
        features.html
     http://www.udel.edu/dcannon/subject/forwardemail.html
    Or, from the U-Discover! World Wide Web Home Page, select the
  following hyperlinks: Computing & Technology, Answers to questions,
  MVS, EMC2, EMC2 Additional Features.
    For further information, contact the Help Desk at
  consult@strauss.udel.edu or 831-6000.
* Alicia's incident did not really happen at the University, but the
  following pranks, both set in motion by people not protecting their
  passwords, did happen:
   - A student wrote his UNIX user number and password on the back of
     his ID card. He misplaced his ID card. Within 48 hours, his e-
     mail was overwhelmed with people "flaming" him for allegedly
     posting an illegal pyramid sales scheme to over 50 USENET
     newsgroups (electronic bulletin boards).
   - An administrator decided not to bother with his e-mail account
     and allowed his staff to use it. The password to the account was
     on a piece of paper on a bulletin board behind his secretary's
     desk. A female employee of the University reported receiving
     obscene e-mail from this administrator's account. She was astute
     enough to realize it probably was not from him. The
     investigators' conclusion was that a student saw the password
     when he was in the office and "borrowed" the account for his
     prank.
* Having someone impersonate you on the Internet is bad enough. But,
  if you are careless with your passwords and PINs, someone could
  steal the information your password or PIN is designed to protect.