[plug] ISPs storing plain-text passwords...

Beau Kuiper kuiperba at cs.curtin.edu.au
Mon Aug 6 20:20:35 WST 2001 

Hmm,

My brief anaylsis:

This could be a security problem depending on how it is implemented and used.

If the systems storing the passwords are not connected to the internet, then 
the only thing you need to worry about is social engineering of the support 
staff.

However, if the support staff can be socially engineered to give a stranger 
your password, they could probably be made to change your password by a 
stranger if no plain text passwords are not keep.

Now, if the systems are connected to the internet, then things start to get 
interesting. The passwords are likely stored in a database. To get the 
passwords out of the database, a cracker must:

	1) be able to access the database. This will probably involve breaking into 	
	one of the systems inside the ISP network (not a customer computer).
	2) Determining a password to access the database with.

To change a users password on an ISP:

	1) They must get an account on a machine where the passwords can be changed 	
	(not much harder than above)

The only main problem with having plain text passwords avaliable at the ISP 
is that if a cracker/ social engineer determines the password, it may take 
longer for the real account user to notice (as opposed to having the password 
changed)

Beau Kuiper
kuiperba at cs.curtin.edu.au


On Monday 06 August 2001 19:57, Kim Covil wrote:
> Hi all,
>
> slightly off-topic but a topic dear to all our hearts I think (or it
> should be if it isn't)
>
> I have just found out that my ISP stores my password in plain-text on
> their systems and that it is available for their support staff to see
> whenever they look at my account records... They tell me this is common
> practice with ISPs so that their support staff can tell their clients
> what their password is in the case where the client forgets it...
>
> I contend that this is a major security hole... one that I should have
> been told about when I signed up... I know there are a number of support
> staff from ISPs on this list and was wondering whether it is true that
> this is common practice...? Also I thought I might alert you to the
> possibility of this practice... cos if one ISP is doing it I wouldn't
> like to guess how many others might be... *sigh*
>
> There is no reason why anyone other than myself should ever need to know
> what my password is... and I (stupidly it seems) assumed that this is
> how it was...
>
> I am currently in the process of trying to get my ISP to remove my
> password from all plain-text data on their system and once that is done
> I will be changing my password...
>
> Cheers
>
> Kim
> --
> ======================================================================
> Kim Covil - CSIRO Exploration & Mining  E-mail: kim.covil at dem.csiro.au
>             PO Box 437, Nedlands,       Tel: +61 8 9284 8425    ,-_!\
>             Western Australia  6009     Fax: +61 8 9389 1906   /     \
>                                                                *_,-._/
> =================================================================== v
>    Please direct all personal e-mail to kimbotha at covil.com.au

More information about the plug mailing list