Storing TUM passwords in apps and third-party provider services
Storing eduroam access data in smartphones, e-mail retrieval services, third-party apps for organizing your course of study...Time and again, you receive notifications from TUM warning you about the risks of sharing TUM access data or that it is not permitted at all.
This article explains the reasons for these notifications, describes how TUM defines the sharing of access data and provides information about where you must use caution.
What constitutes password sharing?
In order for third-party services and apps to access the data they need, TUM users have to share their ID and password with these providers.
For this reason, relaying the TUM password to external providers is in principle not permitted. Refer to §4.3.3.a of the User Guidelines for IT Systems at TUM.
How do I know if I'm allowed to store my password somewhere?
The difficulty for the user is trying to determine in which situation passwords may be stored in apps or third-party services. Here are a few guidelines:
- With apps, you have to check whether the access data is only stored locally (and encrypted there) and make sure that the provider cannot read or relay the password to its own servers. Known apps:
- Outlook-App: Microsoft stores the access data at their servers.
- UniNow: Although the access data is encrypted and stored locally, UniNow is required to decrypt the password and send it to the UniNow servers in order to retrieve the data (status as of Sep 2016)
- Never store your TUM access data with external web service.
- Do not rely on providers such as GMX (GMX Mail Collector) or Gmail (Gmail Mail Fetcher) to retrieve your TUM e-mails. Such retrieval services are prohibited.
(see Dos&Don'ts-Email retrieval services) - Saving the password in a browser or e-mail program is permitted since the information is typically stored locally. We nevertheless recommend that you keep the following things in mind:
- If possible, configure a master password to access the browser or e-mail program
- Make sure that the computer or mobile device is configured with a screen lock.
Why is password sharing prohibited?
Anyone with access to this data can also use it to do harm. Here are just a few examples of what someone can do with the access data belonging to a TUM student:
- Register for or cancel an examination
- Access personal data of other TUM members that is only available after logging in to TUMonline
- Download software that is available to students at a discount, or even free
- Download e-books available through the university libraries
- Research fee-based databases through the university library
- Use the eduroam WiFi network (offered by many universities around the world)
- Use the Munich Research Network (MWN) VPN access
- ...
These examples illustrate that many other systems and services can be affected outside of the three obvious (TUMonline, e-mail server, library server). The TUM access data can furthermore be used to log in to several hundred IT services operated by the DFN association and eduGAIN using Shibboleth-authentication.
That means TUM has an obligation to numerous institutions to make sure that only authorized users actually utilize these services. To do this, TUM not only undertakes various technical and organization measures, but must also transfer this obligation to the users, who in turn are required to prevent their own ID and password from being used for other purposes, to the extent this is possible. One way is to keep the password a secret.