[plug] ISPs storing plain-text passwords...

Steve Vertigan vertigan at bigfoot.com
Tue Aug 7 09:28:03 WST 2001


Kim Covil wrote:
 
> > Then don't use the same password.  All a password is is a key for you to
> > identify yourself to a party, in this case your ISP.  You don't have any
> > say in what they do with it beyond that and it shouldn't be trusted any
> > more than who you're giving it to. 
>
> I don't use the same password... but that still doesn't make me happy to
> find out the password I do use is kept in plain-text for all the support
> staff to look at when they please...

Even if your ISP kept your passwords encrypted how do you know a hacker
or disgruntled sysdmin hasn't modified the passwd program to email him
the passwords of users whenever they're changed?  No matter what they do
the idea that you can give them a password with greater security
ramifications than just access to your account with them, without any
risk, is based on an illusion.  And if you do use a different password
then what power do employees of your ISP have that they didn't already?

> As I said before, it is hard enough for the general user to make up and
> remember a single password... let alone a whole range of passwords NONE
> OF WHICH SHARE ANYTHING IN COMMON... Most users will have some form of
> system they use to remember all their passwords...

Very true but that doesn't make your ISP any more secure,
unfortuneately.  And to compound matters having a whole slew of random
passwords generally leads to having them stuck on a lusers monitor in
post-it notes which can be less secure again than using the same
password.  In my case I have different schemes for different levels of
access so while someone cracking one of my free web accounts like yahoo
could probably crack the others like hotmail or BB accounts they'd have
less chance of cracking my ISP password, still less chance of getting a
root password and less chance again of getting one I use for encryption
and mail signing.  A smarter scheme is to use a password manager that
stores it's database in a trusted encryption format or a textfile you've
encrypted with gpg at a pinch.  As in all things though it'll come down
to how much effort you want to put in as opposed to hoping for the best
and relying on safety in numbers (which given the number of lusers that
don't care about security could be the best strategy anyway :-)

Steve
-- 
OpenBSD maelstrom.dyn.dhs.org GENERIC#399 i386
 5:25PM  up 6 days, 42 mins, 2 users, load averages: 0.37, 0.35, 0.33
I wish there was a knob on the TV to turn up the intelligence.
There's a knob called `brightness', but it doesn't seem to work.
		-- Gallagher



More information about the plug mailing list