Re: CRIME ISP Password Security Practices at Earthlink

From: Crispin Cowan (crispin@private)
Date: Tue Jun 11 2002 - 18:43:52 PDT

  • Next message: nospam22@private: "Re: CRIME ISP Password Security Practices at Earthlink"

    Lyle Leavitt wrote:
    
    >I recently discovered during a tech support call that my ISP
    >(Earthlink - one of the largest in the US), has a practice regarding
    >passwords which I find alarming. The technicians and other service
    >personnel have full visibility to the passwords on my accounts. Is
    >this a common practice among ISPs? My past experience has been that
    >network personnel have the ability to reset passwords but not openly
    >view them. Nowhere in their privacy statements does it explain this
    >practice. Doesn't this leave them open for liability if a disgruntled
    >Earthlink employee should decide to take advantage of this access in
    >order to created problems for a lot of accounts or to profit buy
    >selling the passwords to someone else like a competitor?
    >
    >Any comments?
    >
    No, this is not common among ISPs. It is not common among system 
    software: Earthlink would likely have to customize something just to get 
    access to the passwords. UNIX and Windows store passwords in a hashed form.
    
    If true, this definitely leaves Earthlink users vulnerable to password 
    attack by disgruntled Earthlink staff. Do not use the same password on 
    Earthlink as on other sites. In general, it is best practice to use 
    different passwords everywhere, but with the large number of web sites 
    demanding passwords these days, that can be problematic.
    
    Whether this practice leaves them liable is a question for a lawyer. 
    IIRC, in Jimmy's introduction for George at the big-deal meeting last 
    week, he said that George is, among other things, a lawyer :)
    
    Caveat: From Lyle's description, it sounds like he *inferred* that 
    Earthlink has read access to passwords. Lyle, how certain are you of 
    this conclusion? What was the basis for drawing this conclusion?
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:27:57 PDT