[plug] ISPs storing plain-text passwords...

Kim Covil kimc at ned.dem.csiro.au
Mon Aug 6 20:36:17 WST 2001 

> If the systems storing the passwords are not connected to the internet, then 
> the only thing you need to worry about is social engineering of the support 
> staff.

This is my issue...

> However, if the support staff can be socially engineered to give a stranger 
> your password, they could probably be made to change your password by a 
> stranger if no plain text passwords are not keep.

This restricts the damage to the single account with that ISP... What I
am worried about is people getting access to a plain-text password are
going to have a greater chance to crack into other accounts owned my
that user... Whether because they use the same or similar passwords...
It is hard enough for most users to come up with a single secure
password let alone a whole number without the passwords being connected
in some way... Someone seeing a user's password gets an insight into how
that user creates passwords...

> Now, if the systems are connected to the internet, then things start to get 
> interesting. The passwords are likely stored in a database. To get the 
> passwords out of the database, a cracker must:
> 
> 	1) be able to access the database. This will probably involve breaking into 	
> 	one of the systems inside the ISP network (not a customer computer).

With worms rife as they are at the moment... This is major issue...
I would at least prefer that if someone manages to crack into my ISP's
database and grab the password info, that they would then have to spend
time trying to brute force crack my password... at the very least it
would give more time between the ISP being cracked and my accounts being
cracked...

Cheers

Kim
-- 
====================================================================== 
Kim Covil - CSIRO Exploration & Mining  E-mail: kim.covil at dem.csiro.au
            PO Box 437, Nedlands,       Tel: +61 8 9284 8425    ,-_!\
            Western Australia  6009     Fax: +61 8 9389 1906   /     \
                                                               *_,-._/
=================================================================== v 
   Please direct all personal e-mail to kimbotha at covil.com.au

More information about the plug mailing list