[plug] ISPs storing plain-text passwords...

Tue Aug 7 13:46:33 WST 2001

Having just started as a support person at an ISP I have found this discussion
interesting.  It has made me question a few things that luckily I haven't come
across yet and now feel better prepared for when  I do, so thanks to all for
the input :)

Just a few comments and questions:

The support staff should never need to know the current password of a user.
Users should be strongly encouraged to never divulge their passwords to
anyone.  It should be part of the initial account setup that users are informed
NEVER to tell their passwords to anyone who initiates a call to them.  The only
time where it might be ok is if the user initiates the call to support, but
even then I don't see that it should be necessary.

Can anyone suggest a situation where a support person is going to need a user's
password to access their account?  What sort of actions would the user be
wanting support to do?  If it is something like changing email forwarding etc
then it should get passed to the sys admin, who isn't going to need the user's
password to effect the changes.  I'd genuinely like to know.

If the user has forgotten their password then there are some problems.  There
is definately a need to verify that the person who has called support is who
they say they are.  Obviously if they have forgotten their password then they
can't use that as a means of authentication.  Credit card numbers  are a
possibility as most ISP's will already have them, however not all users pay by
credit card!  A secondary password or keyword is a good option.  Many phone
support services for financial institutions use this technique.  When setting
up the service they should be asked for a question to which only they will know
the answer and to which the answer will never change ie What is the name of the
first person you kissed?
or maybe for an older user What was the first car that you owned (assumes more
than one)?  Keywords based on names of pet's, family members etc are poor as
many people will be able to get that information.  If they fluff the question
then the password doesn't get changed until they front up in person with 100
points of id (with photos).  Assuming they have verified who they are either by
keyword or photo id then the password should be changed to a temporary password
that is valid only for a short time period ie 24 hours, enough time for them to
login and change it to a new password that only they know.  Hopefully the users
will be bright enough to choose a question to which they would only tell the
answer to, to a complete stranger (ie so they can't be socially engineered by
someone they know).

It is not only in the user's interest to keep the account passwords secure, it
is also the ISP's.  A number of messages mentioned the financial impact of
someone using your credit cards details to buy stuff or even your internet
account for downloading lots of traffic.  What about for launching
(D)DOS attacks?  or downloading child porn?  (that's a black mark that nobody
wants against their name) or warez?  etc   I'm sure every ISP would be
embarrassed to have any of the above happening through their servers.  The fact
is having passwords stored in plain text on ANY machine is a lowering of the
security of all the accounts.  Everything that CAN be done to make it harder to
crack accounts SHOULD be done.