[clug] OT: Passwords to verify identity

Brett Wheeler Brett.Wheeler at daramalan.act.edu.au
Wed May 15 22:41:33 MDT 2013 

>>> Andrew Steele <fozzy at zipworld.org> 16/05/2013 1:40 PM >>>
This is not strictly Linux related, but I thought this might be a good
technical forum to initially raise the issue.

I recently had to call up my ISP[1] about a problem with my service.  In
the course of that conversation they wanted to verify my identity.

So they asked "Can you tell me your password?"

Turns out their passwords are all stored in plain text so they can use them
to verify identity.  I've suggested this is a bit of a security weakness
and I was told it wasn't.

I've since had a similar situation where a mobile telco did a similar thing
but in their case, they could only see the first characters of the password.

I can accept an organisation's need to verify my identity, but do people
think this is an appropriate way to implement it?

Andrew

[1] I've chosen not to name the ISP involved, suffice to say it's a local
Canberra ISP.
-- 
Andrew,
It looks like it may not just be your local ISP, I was asked for my password by a techie from one of the big 3.
He seemed to be a little surprised when I refused to give it to him, but he said he didn't need it as he could do something else. (He didn't say what.)
I asked him if it was standard practice to request user passwords and he replied that it was.
 
Brett Wheeler
Computer Technician
Daramalan College
Dickson ACT 2602
Australia
Phone (02) 6163 6489
Mob (+61) 0417 228 714
email  brett.wheelerATdaramalan.act.edu.au 
 
****************************
* Only the good die young, *
* I love my immortality.   *
****************************


CONFIDENTIALITY & PRIVILEGE NOTICE

This email is intended for the use of the addressed recipient(s) only and may contain confidential and privileged information. 

If you have received this message in error please: - do not read, disclose, save, copy or forward it with any attachments; - delete the message and any attachments and copies immediately; - notify the sender by return email of the error. 

The permission of the sender must be sought prior to this email being forwarded to any third party. It is the recipient's responsibility to scan for viruses or to detect any defect in this email. 

Daramalan College accepts no responsibility for any damage caused by this message. Any views expressed in this message or in any attachments are those of the individual sender.

Daramalan College may monitor incoming and outgoing emails for compliance with its internet usage policy.


Scanned by the Netbox from Netbox Blue
(http://netboxblue.com/)

More information about the linux mailing list