[plug] ISPs storing plain-text passwords...

Peter Wright pete at akira.apana.org.au
Mon Aug 6 22:17:16 WST 2001 

Hi all,

On Mon, Aug 06, 2001 at 08:19:46PM +0800, Jonathon Bates wrote:
[ Kim originally wrote: ]
> > I have just found out that my ISP stores my password in plain-text on
> > their systems and that it is available for their support staff to see
[ ... ]
> > There is no reason why anyone other than myself should ever need to know
> > what my password is...
[ ... ]
> Im sorry but I tend to differ. I worked at iiNet for 2 years, I could
> access anyone's password whenever I felt like it (including MM's).
> However in the 2 years I was there, there was NO abuse of this system.

I'll put this very simply - how do you know?

> I like the idea of support staff being able to access a clients password,
> as it makes trouble shooting so much easier (perhaps a stint on a support
> desk might change your mind).

Personally, I doubt it... (despite the fact that my only stint on anything
vaguely approximating a help desk was about seven years ago and in a very
different environment to what I envision a large ISP's support group might be).

If I was working a help desk, I would do what I could to help those who
requested help. If somebody rang up saying "I've forgotten my password, can
you tell me what it is," I would politely explain that I had no friggin'
idea what their password was but that I would be delighted to change it to
something else temporarily, which they would then have to change after
logging in once[0].

If I didn't have administrator rights to do this, I'd farm it off to
someone who did.  Or if this situation happened often enough, I'd suggest
that a certain level of admin rights might be necessary to do the job
effectively. :-)

> All access to the accounting server was logged, and MM used to say anyone
> doing bad things would be not only dismissed but charged.

Um. Right. *grin*

So how many ways can you think of, off the top of your head, involving
either a technical or social (or combination) trick that would enable you
to get password-ish information and make illicit use of it with virtually
no chance of being detected (let *alone* enough evidence being available to
charge you with anything)?

> Personally I trust ISP staff (esp considering I was one of them) and as
> such have no issue with them seeing my password!

Well, the set of "ISP staff" includes a fairly wide range of people,
perhaps not all of them quite as ethically upstanding as yourself. :)

Actually, in general I'd agree with you (regarding ISP staff). But "in
general" doesn't really mean a great deal in reality. All it takes is one
of those metaphorical bad apples.

> Cheers
> Batesy

I just have one more question, Jonathon, if you don't mind answering - how
was this plaintext password storage system implemented (ie. at what point
did you/iinet get hold of the plaintext password)? Did you use a
compromised version of /usr/bin/passwd or /bin/login?

If so, that leaves a rather bad taste in my mouth at least *sigh*.


On Mon, Aug 06, 2001 at 08:39:21PM +0800, Kim Covil wrote:
[ Glen Lewis wrote: ] 
> > However, many ISP's do keep the password in plaintext in their accounting
[ ... ]
> > they will firewall the crap out of this server to reduce the chance of
> > the password being released
[ ... ]
> This is not the point... I don't care where it is stored... I don't
> agree that it should be stored in plain-text... I don't believe that
> anyone other than myself should need to know my password... and
> therefore it should not be stored anywhere in plain-text...

I wholeheartedly agree.

If anyone geniunely does think there's a good reason for the ISP staff
(who, presumably, have sufficient admin rights to change your password if
they feel like it) to need to know your password, please let us know. :)

> > The benefit of them having the plaintext password is that, as they have
> > stated to you, if you want changes done to your account, you can simply
> > quote your password to them.

Glen, are you suggesting this as a kind of secondary human-level
authentication method? Like when you ring up a bank for information about
your account and they ask you your (for example) your DOB and mother's
maiden name as an approximation of ID "proof"?

So if they need any "changes" made to their account (which, presumably,
they're incapable of doing themselves or being talked through), they need
to tell you their password? So how do you verify them as bona fide if
they're ringing up saying they've forgotten their password? And if you _do_
have another method of verifying people, why don't you just use that method
all the time?

NB. I use "you" in the general if-you-were-an-ISP sense here. I don't mean
the above to sound like hectoring, my apologies if it does.

> > It does make it easier, and as long as the password is not distributed
[ ... ]
> There still should be no need for them to have my password to make
> changes to my account... as support staff they should be able to make
> changes to my account without my password... I repeat... NO-ONE but me
> should ever have to know my password...

Just to give a specific example of a reason why this could be more of a
problem than some might think offhand - 

At my previous ISP the username/password on my account and the
username/password on my home gateway machine (a Linux box) and the
username/password on at least two of my other home machines were all the
same. If I'd pissed off one or more of said ISP's staff one too many times
by asking them to do wild and crazy things like respond to support messages
within a few days instead of a few months, and one or more of them had
access to my plaintext password and felt like trying their luck on my
"gateway" machine (they knew I ran linux) - well, they could have gone in
and out and done pretty much whatever they wanted.

(Yes, I know having the same user/pass combo for different machines is bad
and very naughty of me. If I'd thought that my ISP was storing plaintext
passwords, believe me, I would have altered the situation in a hurry :).

> Cheers
> Kim

Pete.

[0] Of course going through all the standard, carefully thought out ISP
arse-covering manuevers to at least decrease the chances of a social
engineering trick being played.
-- 
http://akira.apana.org.au/~pete/

-- 
Thus spake the master programmer:
	"When a program is being tested, it is too late to make design changes."
		-- Geoffrey James, "The Tao of Programming"

More information about the plug mailing list