[plug] ISPs storing plain-text passwords...

Benjamin Keith bjkeith at cygnus.uwa.edu.au
Tue Aug 7 17:27:57 WST 2001


Christian wrote:

> On Tue, Aug 07, 2001 at 01:46:33PM +0800, Benjamin Keith wrote:
>
> > The support staff should never need to know the current password of a user.
> > Users should be strongly encouraged to never divulge their passwords to
> > anyone.  It should be part of the initial account setup that users are informed
> > NEVER to tell their passwords to anyone who initiates a call to them.  The only
> > time where it might be ok is if the user initiates the call to support, but
> > even then I don't see that it should be necessary.
> > Can anyone suggest a situation where a support person is going to need a user's
> > password to access their account?  What sort of actions would the user be
> > wanting support to do?  If it is something like changing email forwarding etc
> > then it should get passed to the sys admin, who isn't going to need the user's
> > password to effect the changes.  I'd genuinely like to know.
>
> It may be appropriate to ask the user what they *think* their password
> is as a way to narrow down the cause of the problem if they cannot log
> in.  They tell you what the password is and you test it locally.  If it
> works then you know it's a problem at their end such as a consistent
> typo or CAPS lock being left on etc.  It can be very helpful to verify
> that the password they think they have is the same as the one set on the
> account.  Of course, once the issue has been resolved, no record is then
> kept of the plaintext password and definitely not an electronic record.

in such a case I would first be inclined to go through the list of characters *not*
allowed in a password
to make sure it isn't a problem with the password being parsed during
authentication, ie / \ # etc
If they have included such characters then a new password would have to be issued.
If they claim not to have used any illegal characters and I have ruled out all other
possible problems then I would probably suggest setting a new (temporary) password
for them.  As for CAPS LOCK - that is usually the first question I ask when they say
the error message says invalid username or password...they don't have to tell me
what their password is to fix that problem...

> > or maybe for an older user What was the first car that you owned (assumes more
> > than one)?  Keywords based on names of pet's, family members etc are poor as
> > many people will be able to get that information.  If they fluff the question
> > then the password doesn't get changed until they front up in person with 100
> > points of id (with photos).  Assuming they have verified who they are either by
> > keyword or photo id then the password should be changed to a temporary password
> > that is valid only for a short time period ie 24 hours, enough time for them to
> > login and change it to a new password that only they know.  Hopefully the users
> > will be bright enough to choose a question to which they would only tell the
> > answer to, to a complete stranger (ie so they can't be socially engineered by
> > someone they know).
>
> Really?  Does the ISP you work for require 100 points of photo ID before
> creating the account in the first place?
>

I've only been there a short time (sorry not going to drop names here) and haven't
encountered this problem yet so I  don't know what their policy is.  Sadly though I
don't think theywould be as strict as I have outlined, they don't have keyword
questions on their new account forms :(  I'll definately be asking next time I'm
in.  I know for sure that the support staff don't have access to users passwords and
I'm pretty sure they are stored in some sort of encrypted format.  What I wrote is a
system that I see as a workable solution, assuming you are willing to sacrifice user
convenience for a more secure system.

>
> --
> DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066  7267 8BED E9D6 0EC1 D28C




More information about the plug mailing list