Hi Lyle, Since Earthlink has a lot of novice users, I expect that they would get a lot of lost password calls. Perhaps they prefer to tell the user their password instead of resetting it. Also, they have likely rolled their own authentication and password storage solution, one which apparently uses cleartext passwords. A crypted() password (like the Unix passwd/shadow file) is merely obfuscated as the passwords can be guessed or brute forced by the sysadmin using crack, given enough CPU and time. Scott --- Lyle Leavitt <lylel@private> wrote: > > I recently discovered during a tech support call > that my ISP > (Earthlink - one of the largest in the US), has a > practice regarding > passwords which I find alarming. The technicians and > other service > personnel have full visibility to the passwords on > my accounts. Is > this a common practice among ISPs? My past > experience has been that > network personnel have the ability to reset > passwords but not openly > view them. Nowhere in their privacy statements does > it explain this > practice. Doesn't this leave them open for liability > if a disgruntled > Earthlink employee should decide to take advantage > of this access in > order to created problems for a lot of accounts or > to profit buy > selling the passwords to someone else like a > competitor? > > Any comments? > > Lyle Leavitt __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 21:08:22 PDT