On Nov 28, 2007, at 10:11 AM, Richard T Houang wrote: > MSU, as owner of MSUnetIDs, should investigate as they are asking > for MSUnetIDs and passwords. It will be very easy for the site to > keep the information. This has been a longstanding issue. So long as we don't filter traffic to/from the KDC/IMAP/POP or any other standard service we provide which authenticates users, leakage is impossible to control. AllMSU.com has been providing services like this for years, which encourage students to provide their MSUNetID and password. I have always discouraged using these types of services for the obvious security reasons, but from a technical perspective, this credential leakage is unmanageable. ./mk -- Matt Kolb <[log in to unmask]> Academic Computing & Network Services Michigan State University