[plug] ISPs storing plain-text passwords...

Jonathon Bates batesy at batesy.ii.net
Mon Aug 6 20:19:46 WST 2001


> I have just found out that my ISP stores my password in plain-text on
> their systems and that it is available for their support staff to see
> whenever they look at my account records... They tell me this is common
> practice with ISPs so that their support staff can tell their clients
> what their password is in the case where the client forgets it...
>
> I contend that this is a major security hole... one that I should have
> been told about when I signed up... I know there are a number of support
> staff from ISPs on this list and was wondering whether it is true that
> this is common practice...? Also I thought I might alert you to the
> possibility of this practice... cos if one ISP is doing it I wouldn't
> like to guess how many others might be... *sigh*
>
> There is no reason why anyone other than myself should ever need to know
> what my password is... and I (stupidly it seems) assumed that this is
> how it was...
>
> I am currently in the process of trying to get my ISP to remove my
> password from all plain-text data on their system and once that is done
> I will be changing my password...

Im sorry but I tend to differ. I worked at iiNet for 2 years, I could
access anyone's password whenever I felt like it (including MM's). However
in the 2 years I was there, there was NO abuse of this system. I like the
idea of support staff being able to access a clients password, as it makes
trouble shooting so much easier (perhaps a stint on a support desk might
change your mind).
All access to the accounting server was logged, and MM used to say anyone
doing bad things would be not only dismissed but charged.

Personally I trust ISP staff (esp considering I was one of them) and as
such have no issue with them seeing my password!

Cheers
Batesy




More information about the plug mailing list