[plug] ISPs storing plain-text passwords...

Glen Lewis kisa at kisa.com
Mon Aug 6 20:43:18 WST 2001


On Mon, 6 Aug 2001, Kim Covil wrote:

> Hi all,
> 
> slightly off-topic but a topic dear to all our hearts I think (or it
> should be if it isn't)
> 
> I have just found out that my ISP stores my password in plain-text on
> their systems and that it is available for their support staff to see
> whenever they look at my account records... They tell me this is common
> practice with ISPs so that their support staff can tell their clients
> what their password is in the case where the client forgets it...
 
It really depends on where it is stored.  If the plain text password is
stored on machines such as the radius, mail, shell (in particular) and
other machines on their network, then I would completely agree - so would
most one would assume.
 
However, many ISP's do keep the password in plaintext in their accounting
systems.  If this is the case, then its probably in the same database as
your home address, phone number, and credit card details.  Now, if the ISP
has any clue at all, they will firewall the crap out of this server to
reduce the chance of the password being released and then just send MD5
crypted passwords out onto the actual network.
 
The benefit of them having the plaintext password is that, as they have
stated to you, if you want changes done to your account, you can simply
quote your password to them.  It does make it easier, and as long as the
password is not distributed via hesiod etc, to the rest of their servers,
less likely to be compromised.
 
Glen





More information about the plug mailing list