[clug] OT: Passwords to verify identity
jeffm at ghostgun.com
Wed May 15 23:25:20 MDT 2013
Many ISPs rely on third party software for billing purposes which stores
your passwords. It is an unfortunate truth that these third parties
don't know much about security as they are more "gui on a database" type
of developers. On example of billing that I'm thinking of stored the
master password for the database on the client machines in plain text
and relied on their client software to enforce access privileges rather
that run a client <-> server <-> database architecture. The problem
can't be resolved easily because the only alternative it to write you
own and you have other things which need to be developed that are more
of an immediate concern.
Also, it may be stored in plain text to facilitate CHAP authentication.
A much better solution would be to use rcrypt or encrypt the password
with AES using a master password first. However, you have to use a
method that is supported by your authentication (radius) server.
No longer in the ISP game,
On 16/05/13 1:40 PM, Andrew Steele wrote:
> Turns out their passwords are all stored in plain text so they can use them
> to verify identity. I've suggested this is a bit of a security weakness
> and I was told it wasn't.
More information about the linux