Re: CRIME ISP Password Security Practices at Earthlink

From: Steve Beattie (steve@private)
Date: Wed Jun 12 2002 - 01:20:26 PDT

Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"

Previous message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
In reply to: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: nospam22@private: "Re: CRIME ISP Password Security Practices at Earthlink"
Reply: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 11, 2002 at 06:43:52PM -0700, Crispin Cowan wrote:
> Lyle Leavitt wrote:
> 
> >I recently discovered during a tech support call that my ISP
> >(Earthlink - one of the largest in the US), has a practice regarding
> >passwords which I find alarming. The technicians and other service
> >personnel have full visibility to the passwords on my accounts. Is
> >this a common practice among ISPs? My past experience has been that
> >network personnel have the ability to reset passwords but not openly
> >view them. Nowhere in their privacy statements does it explain this
> >practice. Doesn't this leave them open for liability if a disgruntled
> >Earthlink employee should decide to take advantage of this access in
> >order to created problems for a lot of accounts or to profit buy
> >selling the passwords to someone else like a competitor?
> >
> >Any comments?
> >
> No, this is not common among ISPs. It is not common among system 
> software: Earthlink would likely have to customize something just to get 
> access to the passwords. UNIX and Windows store passwords in a hashed form.

Um, there is a wider world than just UNIX and Windows and their host
authentication schemes. What's far more likely is that Earthlink is
using a radius protocol server for user authentication.

According to the FAQ of at least one of the free implementations of
a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified
*requires* that passwords be stored in the clear on the radius server --
see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of
authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies
the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>.  CHAP, as I
recall, is pretty widely used.

How common it is among ISPs to allow tech support to have access to such
a plaintext database even one user id at a time, I have no idea (I've
never worked in an ISP).  But I agree that it's probably a bad practice.

-- 
Steve Beattie                               Don't trust programmers? 
<steve@private>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.

application/pgp-signature attachment: stored

Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Previous message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
In reply to: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: nospam22@private: "Re: CRIME ISP Password Security Practices at Earthlink"
Reply: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:05:29 PDT