[plug] ISPs storing plain-text passwords...

[Hook]

Kim Covil wrote :
> 3) There is no reason for a support person to need to use my password
> for any problem... as support users they should be able to modify my
> account directly without seeing my password...

At iinet user passwords are used primarily to help identify the person on
the phone. If I call iinet support and claim to be you, they'll ask me for
the password. You'll know it, I won't. How else can the owner of an account
be identified?

> 4) The fact that a support person will be dismissed if they use my
> password for doing bad things... does not stop them using my password...
> In fact now they have my password and are disgruntled...

... and have been dismissed (and perhaps charged) for offences relating to
misuse of your password. So when it happens again, who do you look for
first?

> 5) What is to stop a support person who leaves the ISP on good standing
> from starting to use my password...?

Nothing, but why would they want to?  I knw the passwords for half a dozen
businesses in Perth that I do work for from time to time. I wouldn't use
them, but if they were paranoid, they might be concerned.

> 6) Seeing someones password gives you insights on how they construct
> passwords... and that is if they haven't just gone and used the same
> password elsewhere...

I would guess that many of the passwords for iinet users are still the
original ones assigned by iinet when the account was opened. So, you could
perhaps guess how iinet create passwords, does it help you?  Wanna try &
guess mine for example?


The Hooker