RE: CRIME EarthLink Password Security Story

From: Myers, Mike (Mike.Myers@private-LMCO.com)
Date: Tue Jun 18 2002 - 09:57:03 PDT

  • Next message: Zot O'Connor: "CRIME Linux (sorta) Advanced Topic Talk Wed June 19th"

    Which reminds me...
    
    The tech (AT&T contractor) who set up a cable modem for me graciously
    selected "password" as my initial password.  Being fairly paranoid I went to
    change it immediately upon his departure.  When I entered my name, I
    mistyped it and lo and behold, I logged in...to someone else's account with
    the password "password".  This was a fellow in Plano Texas with a similar
    name to my own.  I had his address and phone and could have set up his
    account (including email) if I'd wished...I thought about calling him but I
    figured it would just confuse him...
    
    If attbi has the plain text stored they might want to see how many of them
    are "password".  I thought about trying to login as "john.smith",
    "bob.jones", etc. with "password" just to see how far I could get but
    decided they may have something watching failed logins and I didn't really
    want to be tagged with that...
    
    Another story for Security Focus anyone? :)
    
    Cheers,
     - Mike.Myers@private-lmco.com
    
    
    -----Original Message-----
    From: MAGEE Rob [mailto:Rob.Magee@ODE-EX1.ODE.STATE.OR.US]
    Sent: Tuesday, June 18, 2002 7:15 AM
    To: CRIME
    Subject: RE: CRIME EarthLink Password Security Story
    
    
    The same policy is in force at ATTBI's support group.
    Two days ago I was asked for my password.
    
    -----Original Message-----
    From: Lyle Leavitt [mailto:lylel@private]
    Sent: Monday, June 17, 2002 4:38 PM
    To: CRIME
    Subject: CRIME EarthLink Password Security Story
    
    
    FYI, the EarthLink password security story ran today at Wired News:
    
    http://www.wired.com/news/privacy/0,1848,53208,00.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 11:00:09 PDT