Short answer: It depends on the ISP. I used to have a shell account on Teleport.com that I rarely logged into manually, and when I needed to recover the password the best they could do was reset it to something new. This was in 1994. Teleport is (of course) now part of EarthLink, so my guess is that this policy is no longer the case. Scary answer: It seems like the larger ISPs are opting for convenience over security, and retrieval of passwords is relatively simple if you have an account name and some rudimentary demographic data. Very scary anecdotal support for the scary answer: AT&T Broadband allows 6 email boxes per account, so my wife and I each have an email account with completely different passwords (and login names, obviously). When my wife forgot her password I was able to "retrieve" it (and her login name) for her by giving AT&T customer support my password over the phone. I suppose most people who share a cable modem probably trust each other, but this seems like a bad policy to me. (Disclaimer: This happened not long after AT&T transferred all of their users from excite@home to attbi.com. Their policy may have changed since then.) The point is that AT&T employees can obviously see the passwords, and under certain circumstances they are willing to give them out over the phone. -----Original Message----- From: Lyle Leavitt [mailto:lylel@private] Sent: Tuesday, June 11, 2002 5:13 PM To: CRIME Subject: CRIME ISP Password Security Practices at Earthlink I recently discovered during a tech support call that my ISP (Earthlink - one of the largest in the US), has a practice regarding passwords which I find alarming. The technicians and other service personnel have full visibility to the passwords on my accounts. Is this a common practice among ISPs? My past experience has been that network personnel have the ability to reset passwords but not openly view them. Nowhere in their privacy statements does it explain this practice. Doesn't this leave them open for liability if a disgruntled Earthlink employee should decide to take advantage of this access in order to created problems for a lot of accounts or to profit buy selling the passwords to someone else like a competitor? Any comments? Lyle Leavitt
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:27:03 PDT