[clug] OT: Passwords to verify identity

Andrew Steele fozzy at zipworld.org
Wed May 15 21:40:15 MDT 2013

This is not strictly Linux related, but I thought this might be a good
technical forum to initially raise the issue.

I recently had to call up my ISP[1] about a problem with my service.  In
the course of that conversation they wanted to verify my identity.

So they asked "Can you tell me your password?"

Turns out their passwords are all stored in plain text so they can use them
to verify identity.  I've suggested this is a bit of a security weakness
and I was told it wasn't.

I've since had a similar situation where a mobile telco did a similar thing
but in their case, they could only see the first characters of the password.

I can accept an organisation's need to verify my identity, but do people
think this is an appropriate way to implement it?


[1] I've chosen not to name the ISP involved, suffice to say it's a local
Canberra ISP.

More information about the linux mailing list