[clug] OT: Passwords to verify identity

Andrew Janke a.janke at gmail.com
Wed May 15 22:48:46 MDT 2013

On 16 May 2013 13:40, Andrew Steele <fozzy at zipworld.org> wrote:
> I recently had to call up my ISP[1] about a problem with my service.  In
> the course of that conversation they wanted to verify my identity.
> So they asked "Can you tell me your password?"
> Turns out their passwords are all stored in plain text so they can use them
> to verify identity.  I've suggested this is a bit of a security weakness
> and I was told it wasn't.

We probably use the same ISP (except I'm in Queensland now) and use an
ISP who's name has more than it's fair share of i's in it's name. They
probably have swallowed your local ISP.

When I found out about this I too was caught a little off guard and
thought this a little odd. That said, I now think it's a great system.
For one it means that this is one less company/employee who has all
the "highly secret never breakable security information" about me that
allows me to talk to my bank. Like DOB and mothers maiden name.

In fact I now prefer this method, the password I use with this
provider is not used anywhere else so I don't see it as a big issue. I
get to choose what they demand of me to identify myself and I either
know it or I don't, no stuffing around with 3 of 4 different methods,
secret questions that you've forgotten, etc. It's not as if they can
access anything they can't already in my account with said password.

"Hi it's Andrew"
"Prove it"
<rattle off password>


More information about the linux mailing list