RE: CRIME ISP Password Security Practices at Earthlink

From: Brent Tucker (brentt@private)
Date: Tue Jun 11 2002 - 18:51:09 PDT

Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"

Previous message: Jacob B. Rothstein: "Re: CRIME ISP Password Security Practices at Earthlink"
Maybe in reply to: Lyle Leavitt: "CRIME ISP Password Security Practices at Earthlink"
Next in thread: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Short answer: It depends on the ISP.  I used to have a shell account on
Teleport.com that I rarely logged into manually, and when I needed to
recover the password the best they could do was reset it to something new.
This was in 1994.  Teleport is (of course) now part of EarthLink, so my
guess is that this policy is no longer the case.

Scary answer: It seems like the larger ISPs are opting for convenience over
security, and retrieval of passwords is relatively simple if you have an
account name and some rudimentary demographic data.

Very scary anecdotal support for the scary answer: AT&T Broadband allows 6
email boxes per account, so my wife and I each have an email account with
completely different passwords (and login names, obviously).  When my wife
forgot her password I was able to "retrieve" it (and her login name) for her
by giving AT&T customer support my password over the phone.  I suppose most
people who share a cable modem probably trust each other, but this seems
like a bad policy to me.  (Disclaimer: This happened not long after AT&T
transferred all of their users from excite@home to attbi.com.  Their policy
may have changed since then.) The point is that AT&T employees can obviously
see the passwords, and under certain circumstances they are willing to give
them out over the phone.

-----Original Message-----
From: Lyle Leavitt [mailto:lylel@private]
Sent: Tuesday, June 11, 2002 5:13 PM
To: CRIME
Subject: CRIME ISP Password Security Practices at Earthlink



I recently discovered during a tech support call that my ISP
(Earthlink - one of the largest in the US), has a practice regarding
passwords which I find alarming. The technicians and other service
personnel have full visibility to the passwords on my accounts. Is
this a common practice among ISPs? My past experience has been that
network personnel have the ability to reset passwords but not openly
view them. Nowhere in their privacy statements does it explain this
practice. Doesn't this leave them open for liability if a disgruntled
Earthlink employee should decide to take advantage of this access in
order to created problems for a lot of accounts or to profit buy
selling the passwords to someone else like a competitor?

Any comments?

Lyle Leavitt

Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Previous message: Jacob B. Rothstein: "Re: CRIME ISP Password Security Practices at Earthlink"
Maybe in reply to: Lyle Leavitt: "CRIME ISP Password Security Practices at Earthlink"
Next in thread: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:27:03 PDT