[plug] ISPs storing plain-text passwords...

Steve Vertigan vertigan at bigfoot.com
Mon Aug 6 22:20:07 WST 2001


Kim Covil wrote:

> This restricts the damage to the single account with that ISP... What I
> am worried about is people getting access to a plain-text password are
> going to have a greater chance to crack into other accounts owned my
> that user... Whether because they use the same or similar passwords...

Then don't use the same password.  All a password is is a key for you to
identify yourself to a party, in this case your ISP.  You don't have any
say in what they do with it beyond that and it shouldn't be trusted any
more than who you're giving it to.  It would be nice if they could
manage without storing a cleartext version but entrusting your own
security to the hope that $organisation and it's staff are
ethical/competent is balmy.

And if you want a real horror story an ISP where I used to work stored
*all* user information in an access database on an NT machine that was
connected directly to the 'net without a single firewall rule on it. :-)

Steve
-- 
OpenBSD maelstrom.dyn.dhs.org GENERIC#399 i386
 6:10AM  up 5 days, 13:27, 2 users, load averages: 0.69, 0.66, 0.69
"The National Association of Theater Concessionaires reported that in
1986, 60% of all candy sold in movie theaters was sold to Roger Ebert."
		-- D. Letterman



More information about the plug mailing list