From the design perspective, I've had clients that demand both (different clients.) Since some users see it as a shell game, they don't want you to pretend that you can't get to it (sniffers, backup, crack, file access, and other ways smart guys can figure it out.) Some however users want the assurance that there are procedures in place that don't allow admin and customer service to view the password. These service providers tend to focus on more sophisticated users who also realize the employees could get the passwords if they had access, (like most of this audience.) Since most of the good places have also done background investigations on those touching critical information and may even bond those employees, some see this as overkill, others as part of the structure necessary to deliver a good product. Either way there's a social engineering aspect that someone can call and prevent you from gaining access to your information, if not taking over the account. Bottom line is that neither showing or hiding tells you whether you are safe from hackers or rogue employees, they are just trying to give you the service you expect. Kim I still remember when Unix geeks were offended when there were passwords on a system. ----- Original Message ----- From: "Lyle Leavitt" <lylel@private> To: "CRIME" <crime@private> Sent: Tuesday, June 11, 2002 5:13 PM Subject: CRIME ISP Password Security Practices at Earthlink > > I recently discovered during a tech support call that my ISP > (Earthlink - one of the largest in the US), has a practice regarding > passwords which I find alarming. The technicians and other service > personnel have full visibility to the passwords on my accounts. Is > this a common practice among ISPs? My past experience has been that > network personnel have the ability to reset passwords but not openly > view them. Nowhere in their privacy statements does it explain this > practice. Doesn't this leave them open for liability if a disgruntled > Earthlink employee should decide to take advantage of this access in > order to created problems for a lot of accounts or to profit buy > selling the passwords to someone else like a competitor? > > Any comments? > > Lyle Leavitt >
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 14:25:50 PDT