Warning: This post is long overdue.

Months ago, NUS Computer Centre decided to increase security by making our passwords expire every 3 months. This was greeted by the groans of fustrations from many students with having the new hassle of remembering passwords (no they keep a record of old passwords so they can’t be reused) and by great laughter from the very geekiest of us.

What’s the joke? Quoted is the email sent by the Computer Centre

“Password is the key to your digital assets which must be secured. We all know the use of the same password for a long period of time is prone to compromise. It is, hence, a security requirement for password expiry to be strictly enforced in every 180 days.”

No doubt this is good security practise, we all know the “prone to compromise” isn’t due to prolonged use of the same password.

1) As any student who does not use IE will realise, a warning will popup when ever you try to log in to IVLE. If you actually bother to read the warning, it clearly explains “Although the page is encrypted, the information you entered (i.e. your user id and password) is to be sent over an unencrypted connection and can be easily read by a third party.”

Oh no! That’s not good you exclaim and being good security minded person you click on Cancel but soon find that you cannot login without sending in the clear. So what about that? Well would you whisper when telling a secret or just speak in a normal volume? You aren’t intentionally letting everyone know and the possibility might be low but anyone can hear if they intentionally want to.

2) Anyone who has setup a laptop for wireless use in NUS would know about this. Sure you first have to download the latest Cisco LEAP drivers and then enable LEAP authentication to login. But after failing to get any traffic after logging in, you soon realise that you have to disable packet encryption in order for it to work. Amazing yah?

This would be like wanting to pass some secret exam answers to a friend and after meeting him at the canteen and checking his IC to make sure you don’t tell the wrong person, you speak very loudly so everyone around you can hear clearly.

Now given point 1 and 2, it would be very easy to intercept and read the information that is being transmitted in the school’s wireless network. So what can you do with someone’s account? Well, not really much damage, you can just read all his mails, check his grades, impersonate him and make him an idiot in the forums or totally screw up his module registration and dropping his core modules. heh.

Well it seems that the school is only interested in putting up a secure front, doing things only midway. With all the computer security issues we read about in the papers highlighting to consumers about security vulnerabilities, it’s ironic that a world class university would take the issue so lightly. Wait, lightly is an understatement, totally ignored I’d say. It’s not that they are unaware or ignorant. We know they know cos we have, being concerned students, informed the school about it. Thus we can only conclude that it’s more likely that they don’t bother.

Then why bother with the password thing then? It’s not that hard to figure out. Every man who has gone through NS will be able to tell you. “Wayang loh, for show only.” Well maybe it’s not as bad as it is. As Francis said, having a false sense of security is probably worse than blantanly having none at all.