On Tue, Jun 11, 2002 at 06:43:52PM -0700, Crispin Cowan wrote: > Lyle Leavitt wrote: > > >I recently discovered during a tech support call that my ISP > >(Earthlink - one of the largest in the US), has a practice regarding > >passwords which I find alarming. The technicians and other service > >personnel have full visibility to the passwords on my accounts. Is > >this a common practice among ISPs? My past experience has been that > >network personnel have the ability to reset passwords but not openly > >view them. Nowhere in their privacy statements does it explain this > >practice. Doesn't this leave them open for liability if a disgruntled > >Earthlink employee should decide to take advantage of this access in > >order to created problems for a lot of accounts or to profit buy > >selling the passwords to someone else like a competitor? > > > >Any comments? > > > No, this is not common among ISPs. It is not common among system > software: Earthlink would likely have to customize something just to get > access to the passwords. UNIX and Windows store passwords in a hashed form. Um, there is a wider world than just UNIX and Windows and their host authentication schemes. What's far more likely is that Earthlink is using a radius protocol server for user authentication. According to the FAQ of at least one of the free implementations of a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified *requires* that passwords be stored in the clear on the radius server -- see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>. CHAP, as I recall, is pretty widely used. How common it is among ISPs to allow tech support to have access to such a plaintext database even one user id at a time, I have no idea (I've never worked in an ISP). But I agree that it's probably a bad practice. -- Steve Beattie Don't trust programmers? <steve@private> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:05:29 PDT