[plug] ISPs storing plain-text passwords...

Nigel Duff peregrin at iinet.net.au
Mon Aug 6 22:39:03 WST 2001


On Mon, Aug 06, 2001 at 07:57:33PM +0800, Kim Covil wrote:
> 
> I have just found out that my ISP stores my password in plain-text on
> their systems and that it is available for their support staff to see
> whenever they look at my account records... They tell me this is common
> practice with ISPs so that their support staff can tell their clients
> what their password is in the case where the client forgets it...
> 

The trouble is the password is the easiest way to verify the caller is who
they say they are. You could use caller ID if they had it turned on, but
what happens if there are more than one account in the same household.
You could use the last 6 digits of their credit card (if thats what they
used for payment), but I'd be more worried about them having my CC
details than my password.  

The simple thing is that support staff don't need your password to play
with your account.

Nigel





More information about the plug mailing list