[plug] ISPs storing plain-text passwords...

Christian christian at amnet.net.au
Tue Aug 7 14:28:55 WST 2001 

On Tue, Aug 07, 2001 at 01:46:33PM +0800, Benjamin Keith wrote:
 
> The support staff should never need to know the current password of a user.
> Users should be strongly encouraged to never divulge their passwords to
> anyone.  It should be part of the initial account setup that users are informed
> NEVER to tell their passwords to anyone who initiates a call to them.  The only
> time where it might be ok is if the user initiates the call to support, but
> even then I don't see that it should be necessary.
> Can anyone suggest a situation where a support person is going to need a user's
> password to access their account?  What sort of actions would the user be
> wanting support to do?  If it is something like changing email forwarding etc
> then it should get passed to the sys admin, who isn't going to need the user's
> password to effect the changes.  I'd genuinely like to know.

It may be appropriate to ask the user what they *think* their password
is as a way to narrow down the cause of the problem if they cannot log
in.  They tell you what the password is and you test it locally.  If it
works then you know it's a problem at their end such as a consistent
typo or CAPS lock being left on etc.  It can be very helpful to verify
that the password they think they have is the same as the one set on the
account.  Of course, once the issue has been resolved, no record is then
kept of the plaintext password and definitely not an electronic record.

> or maybe for an older user What was the first car that you owned (assumes more
> than one)?  Keywords based on names of pet's, family members etc are poor as
> many people will be able to get that information.  If they fluff the question
> then the password doesn't get changed until they front up in person with 100
> points of id (with photos).  Assuming they have verified who they are either by
> keyword or photo id then the password should be changed to a temporary password
> that is valid only for a short time period ie 24 hours, enough time for them to
> login and change it to a new password that only they know.  Hopefully the users
> will be bright enough to choose a question to which they would only tell the
> answer to, to a complete stranger (ie so they can't be socially engineered by
> someone they know).

Really?  Does the ISP you work for require 100 points of photo ID before
creating the account in the first place?

 

-- 
DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066  7267 8BED E9D6 0EC1 D28C

More information about the plug mailing list