Indiana University

IU Webmaster

Important Security Information for MySQL Accounts

Use of the MySQL Service requires adherence to policies outlined by both the IT Policy Office and the IU Webmaster. These include but are not limited to:

a) Student UIDs can be used as long as they are NOT social security numbers

b) Email addresses should be stored in such a way as to not be directly usable as email addresses to thwart harvesting by spammers, by either storing them as images or in a textual form that does not resemble an email address. For further information, see the Knowledge Base document, How can I protect my web pages from email address harvesting?

c) You must review all the information released by the University Information Security Office and the University Information Policy Office regarding storage of sensitive, personal or restricted institutional information. If you have any questions regarding policy, please contact the University Information Policy Office

d) The PHP application and any associated simple data files should be stored in the wwws subdirectory (/ip/account_name/wwws) of your Webserve account and access to the application should be protected via an .htaccess file (For further information, see Controlling Web Page Access.) This ensures that the password used to access the application is encrypted in transit from the browser to the webserver and also that any data sent to or from the application is also encrypted in transit.

e) No *raw* student data should ever be stored on Webserve or mysql.iu.edu/mysql-test.iu.edu longer than the shortest period required to place it into the database.

f) The login passphrases to the mysql.iu.edu/mysql-test.iu.edu services and to Webserve must be especially robust. For hints on creating secure passphrases see: http://kb.iu.edu/data/acpu.html#hints

g) The root and other access passwords created within the mysql database itself must also be robust, see f) above.