Re: CRIME ISP Password Security Practices at Earthlink

From: nospam22@private
Date: Tue Jun 11 2002 - 20:08:38 PDT

  • Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"

    Hi Lyle,
    
    Since Earthlink has a lot of novice users, I expect
    that they would get a lot of lost password calls. 
    Perhaps they prefer to tell the user their password
    instead of resetting it.  Also, they have likely
    rolled their own authentication and password storage
    solution, one which apparently uses cleartext
    passwords.
    
    A crypted() password (like the Unix passwd/shadow
    file) is merely obfuscated as the passwords can be
    guessed or brute forced by the sysadmin using crack,
    given enough CPU and time.
    
    Scott
    
    --- Lyle Leavitt <lylel@private> wrote:
    > 
    > I recently discovered during a tech support call
    > that my ISP
    > (Earthlink - one of the largest in the US), has a
    > practice regarding
    > passwords which I find alarming. The technicians and
    > other service
    > personnel have full visibility to the passwords on
    > my accounts. Is
    > this a common practice among ISPs? My past
    > experience has been that
    > network personnel have the ability to reset
    > passwords but not openly
    > view them. Nowhere in their privacy statements does
    > it explain this
    > practice. Doesn't this leave them open for liability
    > if a disgruntled
    > Earthlink employee should decide to take advantage
    > of this access in
    > order to created problems for a lot of accounts or
    > to profit buy
    > selling the passwords to someone else like a
    > competitor?
    > 
    > Any comments?
    > 
    > Lyle Leavitt
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    http://fifaworldcup.yahoo.com
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 21:08:22 PDT