[plug] ISPs storing plain-text passwords...

[Christian]

On Mon, Aug 06, 2001 at 08:27:43PM +0800, Kim Covil wrote:

Firstly, I largely agree with Kim in that the passwords shouldn't have
been stored in plaintext on an networked machine without a good
technical reason, such as this being a requirement of the authentication
protocol being used (here's a tip -- get a better authentication
protocol that doesn't require plaintext equivalency!).  All arguments to
the contrary don't seem to really hold up to scrutiny.  Saying that the
ISP staff need continued access to the plaintext passwords is completely
bogus and the argument that password crackers could recover hashed
passwords seems even more desperate.  ISP staff invariably cannot be
completely trusted and, as Kim as asserted, revealing one password often
does weaken the remaining passwords.  Where password cracking is
concerned, at least the good passwords are relatively safe from this
(thus rewarding those who adhere to good security practices) but if the
passwords are simply sitting there in a database in plaintext then the
security conscious users get burnt along with the careless ones.

> I suppose there are a number of issues here...
> 
> 1) I should have been informed that my password was going to be visible
> to people other than myself...

Arguably not because someone has to know your password at least
initially to set it and it's probably reasonable to keep this initial
password on file somewhere in case the account had to be remade.  But it
definitely shouldn't be stored in electronic format on any networked
machine and you should be able to change that initial password without
the ISP having access to this new password.

> 2) I should have been given the option to opt out of the system of
> having my password visible...

Absolutely. (Assuming the password should have been visible at all to
begin with!)

> 3) There is no reason for a support person to need to use my password
> for any problem... as support users they should be able to modify my
> account directly without seeing my password...

Definitely.  My own experience doing support was that it was virtually
never necessary to know what their password was although it was often
useful to know what they *thought* it was in order to isolate the
source of the problem.  Obviously what the user *thinks* their password
is cannot be stored on file...

> 4) The fact that a support person will be dismissed if they use my
> password for doing bad things... does not stop them using my password...
> In fact now they have my password and are disgruntled...

If they got dismissed for using your password (which probably meant they
were extremely unlucky and got caught) then you would probably change
your password as a precautionary measure.  I wonder if the ISP would
bother to ask the rest of its clients to change their passwords too or
whether they would simply try to keep quiet the fact that there had
been a security failure due to an unscrupulous staff member who had
access to all of their plaintext passwords!

> 6) Seeing someones password gives you insights on how they construct
> passwords... and that is if they haven't just gone and used the same
> password elsewhere...

This point in particular seems very important.  Generating a password
that is both memorable and unguessable (sufficiently high in entropy) is
very difficult.  Assuming users put enough thought in and come up with
something that they can discern a pattern in but which is unlikely to be
recovered with any automatic password cracker then they have good reason
to feel quite safe.  However, if ISPs are making users passwords
available to their support staff then this gives the support staff the
opportunity to able to discern the pattern in the password and make
guesses at other passwords that the user has with significantly
increased chance of success.  (This is assuming that the user doesn't
re-use his/her passwords...)


-- 
DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066  7267 8BED E9D6 0EC1 D28C