DrexelOne

A college-bound student, I’ll be going to Drexel University in the fall. One of the first steps for people who’ve enrolled in a school is to set up their school email address.

Schools usually associate this email address with their portal, which is generally a horribly designed union of school news and student services, such as applying for housing or signing up for a meal plan. Drexel’s has a lot of room for improvement.

The first problem happens as soon as I load the site: I get one of those browser not supported! pages. On Windows, they recommend using Firefox 1.5.0.1 or 1.0.7. I’m using 3.0b5 (edit: according to other people I’ve talked to, this page doesn’t show for newer stable builds of Firefox). I don’t get why they’re doing user-agent checking in the first place (the only things they’re worried about lack of support for are Java, JavaScript, and cookies) but why they’re checking for specific versions of a browser is even more of a mystery. If they supported all three back in Firefox 1, why wouldn’t they support them in Firefox 3? At least there’s a link at the bottom to continue.

On a similar note, requiring JavaScript, Java and cookies to be enabled worries me. There are legitimate reasons for disabling any or all of those three. They can all be exploited for malicious purposes. Drexel’s website is not one I’d expect to do something malicious to my computer, but if it were ever compromised users will be very vulnerable. I know people who browser with JavaScript disabled, and I’m sure it wouldn’t take much asking around to find people who disable Java or cookies as well.

Turn off JavaScript or cookies and the site won’t let you in—probably because they use JavaScript for all their navigational links. I tried going in with Java disabled and the site told me that it’s not needed, but strongly recommended. I’ve been browsing around for a bit but haven’t found anything that’s worse off for lack of Java. Oh well.

Once I actually got in, I wanted to change my default password, which was eight random characters, or so I assume. Oddly, I couldn’t find the account settings link, which the help pages assured was there. I searched the source. It wasn’t. Luckily there’s a separate page for managing all my accounts on their servers, which is wholly unnecessary. I had to set up the password recovery wizard, which helps me recover my password if I ever forget it. The site asked me to specify a question which it would ask me if I ever called up the wizard, and if I answered it correctly it would reset my password to one which I’d specified when I set up the wizard. This has one giant flaw: what if I don’t remember the password that I specify? The best way would be to change my password to a randomly-generated one which is emailed to a different email address. I don’t understand why they’ve decided to forgo the system that works so successfully for so many other sites out there, including sites for entities like banks, which require far more security.

The next thing I tried to do was change my password. My initial attempt failed, because, according to the site, my password was too long. Passwords must be between six and eight characters in length. The security implications of this are staggering. For one, it vastly reduces the amount of work an intruder has to do to brute force a password. Perhaps this is the reason that account names are students’ initials and a pair of random numbers—and if it is the reason, it’s a bad one, as security through obscurity is a proven bad technique.

I’m not sure which operating system is on the server they use to manage accounts, but if it’s Windows, the short length of the passwords is an even greater concern. Windows uses LM hashes to store passwords with fewer than 15 characters. There are two large security flaws present here: first, that characters longer than seven characters are split into two seven-character pieces and hashed separately, and second, that all characters are converted to uppercase (a more detailed description of the flaws of LM hashes can be found here). If you are reading this and you have a DrexelOne account, I strongly urge you to create an eight-character password, the longest allowed by the system.

I’ve had my account for probably a day and a half now. Hopefully this is the worst of it. We’ll find out in time.

Update: Drexel runs UNIX on at least one of their servers. They also give students a very, very nice thing: shell access! As dissatisfied as I am with DrexelOne and their accounts system in general, I have to give them a lot of credit for this one—I haven’t heard (although I may easily be mistaken) of a single other school that does this. Either way, I’ve already set up PuTTY for it, and I’ve started doing something with the webspace they gave me. Props to Drexel for an awesome feature!