[plug] ISPs storing plain-text passwords...

Leon Blackwell leon at lostrealm.com
Tue Aug 7 09:25:34 WST 2001


On Tue, Aug 07, 2001 at 06:24:56AM +0800, Hook wrote:
> At iinet user passwords are used primarily to help identify the person on
> the phone. If I call iinet support and claim to be you, they'll ask me for
> the password. You'll know it, I won't. How else can the owner of an account
> be identified?

That could also be done by asking the user for their password and
then just crypting it against the salt to check that it is the
same -- in exactly the same way that passwords are checked at
login.

There really isn't a need there for the password to be stored in
plain text; it's just an extra security risk.


As another option, you could have a verbal password that could be
exclusively for technical support.  That way, no one will ever
need to know your login password and you have the added bonus that
the technical support password can be an actual word.  I'd hate
to have to slowly read out some of my passwords over the phone...


-- 
 +----------------------------------------------------------------+
 | Leon Blackwell                       mailto:leon at lostrealm.com |
 | http://www.lostrealm.com/             {-this-space-for-lease-} |
 +----------------------------------------------------------------+



More information about the plug mailing list