RE: CRIME ISP Password Security Practices at Earthlink

From: Brent Tucker (brentt@private)
Date: Tue Jun 11 2002 - 18:51:09 PDT

  • Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"

    Short answer: It depends on the ISP.  I used to have a shell account on
    Teleport.com that I rarely logged into manually, and when I needed to
    recover the password the best they could do was reset it to something new.
    This was in 1994.  Teleport is (of course) now part of EarthLink, so my
    guess is that this policy is no longer the case.
    
    Scary answer: It seems like the larger ISPs are opting for convenience over
    security, and retrieval of passwords is relatively simple if you have an
    account name and some rudimentary demographic data.
    
    Very scary anecdotal support for the scary answer: AT&T Broadband allows 6
    email boxes per account, so my wife and I each have an email account with
    completely different passwords (and login names, obviously).  When my wife
    forgot her password I was able to "retrieve" it (and her login name) for her
    by giving AT&T customer support my password over the phone.  I suppose most
    people who share a cable modem probably trust each other, but this seems
    like a bad policy to me.  (Disclaimer: This happened not long after AT&T
    transferred all of their users from excite@home to attbi.com.  Their policy
    may have changed since then.) The point is that AT&T employees can obviously
    see the passwords, and under certain circumstances they are willing to give
    them out over the phone.
    
    -----Original Message-----
    From: Lyle Leavitt [mailto:lylel@private]
    Sent: Tuesday, June 11, 2002 5:13 PM
    To: CRIME
    Subject: CRIME ISP Password Security Practices at Earthlink
    
    
    
    I recently discovered during a tech support call that my ISP
    (Earthlink - one of the largest in the US), has a practice regarding
    passwords which I find alarming. The technicians and other service
    personnel have full visibility to the passwords on my accounts. Is
    this a common practice among ISPs? My past experience has been that
    network personnel have the ability to reset passwords but not openly
    view them. Nowhere in their privacy statements does it explain this
    practice. Doesn't this leave them open for liability if a disgruntled
    Earthlink employee should decide to take advantage of this access in
    order to created problems for a lot of accounts or to profit buy
    selling the passwords to someone else like a competitor?
    
    Any comments?
    
    Lyle Leavitt
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:27:03 PDT