[plug] ISPs storing plain-text passwords...

Kim Covil kimc at ned.dem.csiro.au
Mon Aug 6 20:39:21 WST 2001


> However, many ISP's do keep the password in plaintext in their accounting
> systems.  If this is the case, then its probably in the same database as
> your home address, phone number, and credit card details.  Now, if the ISP
> has any clue at all, they will firewall the crap out of this server to
> reduce the chance of the password being released and then just send MD5
> crypted passwords out onto the actual network.

This is not the point... I don't care where it is stored... I don't
agree that it should be stored in plain-text... I don't believe that
anyone other than myself should need to know my password... and
therefore it should not be stored anywhere in plain-text...

> The benefit of them having the plaintext password is that, as they have
> stated to you, if you want changes done to your account, you can simply
> quote your password to them.  It does make it easier, and as long as the
> password is not distributed via hesiod etc, to the rest of their servers,
> less likely to be compromised.

There still should be no need for them to have my password to make
changes to my account... as support staff they should be able to make
changes to my account without my password... I repeat... NO-ONE but me
should ever have to know my password...

Cheers

Kim

-- 
====================================================================== 
Kim Covil - CSIRO Exploration & Mining  E-mail: kim.covil at dem.csiro.au
            PO Box 437, Nedlands,       Tel: +61 8 9284 8425    ,-_!\
            Western Australia  6009     Fax: +61 8 9389 1906   /     \
                                                               *_,-._/
=================================================================== v 
   Please direct all personal e-mail to kimbotha at covil.com.au



More information about the plug mailing list