Flaws uncovered in university log-in system

A flaw in the Warwick IT services log-in system may leave students vulnerable to cyber attack.

Warwick Web sign-on, used in order to access emails, participate in activities on the Student’s Union website, and central to a host of other internet services pivotal to university life, has a password malfunction which weakens protection from external intrusion.

Whereas with usual secure log-in systems the password is case sensitive, web sign-on can be accessed with a password that has both upper and lower case letters. Thus students whose passwords have both cases have no extra security on the network, increasing the danger of intrusion. The malfunction can conceivably allow undesired external elements to gain easier access to a host of sensitive materials, and in turn do significant damage to students personal and professional lives.

The problem has come into existence after the implementation of the new live.edu accounts, which are now used throughout the University in order to log-in to online facilities. Through Web sign-on, my.warwick can be accessed, which contains students’ personal information and includes financial information, which has potentially devastating consequences in the wrong hands. Concerns over this security problem were raised to the I.T. department over two weeks ago, but they will not be changing the system until next year.

“The University is aware that passwords are case-insensitive when signing in to web services. Until very recently, this has been a limitation of the systems used to store and validate passwords. However, those systems have now been updated to support case sensitivity, and we expect to enable this during 2011. We think it’s important to provide a substantial period of notice about this change so that users who may not be aware that their password is actually mixed case have plenty of time to reset their password. For that reason we’re currently planning to announce the change in January 2011 and activate it at some point later in the year,” said Peter Dunn, University Press Officer.
“We don’t believe that the current case insensitivity represents a material security risk because passwords which are appropriately long and comply with other best practice recommendations … are still very secure with or without mixed case,” he added.

Attempts at electronic security breaches in Universities are fairly commonplace, and so account security is paramount in order to safeguard students information. A first year Maths and Physics student revealed himself as “perplexed” that nothing had been done in order to fix the log in system, and an exchange student based in the Politics department expressed concern that his “account details are not sufficiently protected by the university’s electronic system”.

Somewhat ironically, the I.T. Services information security webpage encourages students to pick passwords that use a mixture of upper and lower case letters, despite their lack of effect with the current log-in mechanism.