Re: CRIME ISP Password Security Practices at Earthlink

From: Steve Beattie (steve@private)
Date: Wed Jun 12 2002 - 01:20:26 PDT

  • Next message: Crispin Cowan: "Re: CRIME ISP Password Security Practices at Earthlink"

    On Tue, Jun 11, 2002 at 06:43:52PM -0700, Crispin Cowan wrote:
    > Lyle Leavitt wrote:
    > 
    > >I recently discovered during a tech support call that my ISP
    > >(Earthlink - one of the largest in the US), has a practice regarding
    > >passwords which I find alarming. The technicians and other service
    > >personnel have full visibility to the passwords on my accounts. Is
    > >this a common practice among ISPs? My past experience has been that
    > >network personnel have the ability to reset passwords but not openly
    > >view them. Nowhere in their privacy statements does it explain this
    > >practice. Doesn't this leave them open for liability if a disgruntled
    > >Earthlink employee should decide to take advantage of this access in
    > >order to created problems for a lot of accounts or to profit buy
    > >selling the passwords to someone else like a competitor?
    > >
    > >Any comments?
    > >
    > No, this is not common among ISPs. It is not common among system 
    > software: Earthlink would likely have to customize something just to get 
    > access to the passwords. UNIX and Windows store passwords in a hashed form.
    
    Um, there is a wider world than just UNIX and Windows and their host
    authentication schemes. What's far more likely is that Earthlink is
    using a radius protocol server for user authentication.
    
    According to the FAQ of at least one of the free implementations of
    a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified
    *requires* that passwords be stored in the clear on the radius server --
    see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of
    authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies
    the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>.  CHAP, as I
    recall, is pretty widely used.
    
    How common it is among ISPs to allow tech support to have access to such
    a plaintext database even one user id at a time, I have no idea (I've
    never worked in an ISP).  But I agree that it's probably a bad practice.
    
    -- 
    Steve Beattie                               Don't trust programmers? 
    <steve@private>                         Complete StackGuard distro at
    http://NxNW.org/~steve/                            immunix.org
    http://www.personaltelco.net -- overthrowing QWest, one block at a time.
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:05:29 PDT