Lyle Leavitt wrote: >I recently discovered during a tech support call that my ISP >(Earthlink - one of the largest in the US), has a practice regarding >passwords which I find alarming. The technicians and other service >personnel have full visibility to the passwords on my accounts. Is >this a common practice among ISPs? My past experience has been that >network personnel have the ability to reset passwords but not openly >view them. Nowhere in their privacy statements does it explain this >practice. Doesn't this leave them open for liability if a disgruntled >Earthlink employee should decide to take advantage of this access in >order to created problems for a lot of accounts or to profit buy >selling the passwords to someone else like a competitor? > >Any comments? > No, this is not common among ISPs. It is not common among system software: Earthlink would likely have to customize something just to get access to the passwords. UNIX and Windows store passwords in a hashed form. If true, this definitely leaves Earthlink users vulnerable to password attack by disgruntled Earthlink staff. Do not use the same password on Earthlink as on other sites. In general, it is best practice to use different passwords everywhere, but with the large number of web sites demanding passwords these days, that can be problematic. Whether this practice leaves them liable is a question for a lawyer. IIRC, in Jimmy's introduction for George at the big-deal meeting last week, he said that George is, among other things, a lawyer :) Caveat: From Lyle's description, it sounds like he *inferred* that Earthlink has read access to passwords. Lyle, how certain are you of this conclusion? What was the basis for drawing this conclusion? Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:27:57 PDT