RE: CRIME EarthLink Password Security Story

From: Christiansen, John (SEA) (JohnC@private)
Date: Tue Jun 18 2002 - 11:20:21 PDT

Next message: Seth Arnold: "Re: CRIME EarthLink Password Security Story"

Previous message: Zot O'Connor: "CRIME Linux (sorta) Advanced Topic Talk Wed June 19th"
Maybe in reply to: Lyle Leavitt: "CRIME EarthLink Password Security Story"
Next in thread: Sarah Mocas: "Re: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gee, given that your name is "Mike Myers" I'd have hoped you'd have been
able to log into the account of someone more interesting . . . (couldn't
resist, but there is a serious point about the potential for confusion where
there are duplicative names *and* passwords!)

-----Original Message-----
From: Myers, Mike [mailto:Mike.Myers@private-LMCO.com]
Sent: Tuesday, June 18, 2002 9:57 AM
To: CRIME
Subject: RE: CRIME EarthLink Password Security Story

Which reminds me...

The tech (AT&T contractor) who set up a cable modem for me graciously
selected "password" as my initial password.  Being fairly paranoid I went to
change it immediately upon his departure.  When I entered my name, I
mistyped it and lo and behold, I logged in...to someone else's account with
the password "password".  This was a fellow in Plano Texas with a similar
name to my own.  I had his address and phone and could have set up his
account (including email) if I'd wished...I thought about calling him but I
figured it would just confuse him...

If attbi has the plain text stored they might want to see how many of them
are "password".  I thought about trying to login as "john.smith",
"bob.jones", etc. with "password" just to see how far I could get but
decided they may have something watching failed logins and I didn't really
want to be tagged with that...

Another story for Security Focus anyone? :)

Cheers,
 - Mike.Myers@private-lmco.com

-----Original Message-----
From: MAGEE Rob [mailto:Rob.Magee@ODE-EX1.ODE.STATE.OR.US]
Sent: Tuesday, June 18, 2002 7:15 AM
To: CRIME
Subject: RE: CRIME EarthLink Password Security Story

The same policy is in force at ATTBI's support group.
Two days ago I was asked for my password.

-----Original Message-----
From: Lyle Leavitt [mailto:lylel@private]
Sent: Monday, June 17, 2002 4:38 PM
To: CRIME
Subject: CRIME EarthLink Password Security Story

FYI, the EarthLink password security story ran today at Wired News:

http://www.wired.com/news/privacy/0,1848,53208,00.html

Next message: Seth Arnold: "Re: CRIME EarthLink Password Security Story"
Previous message: Zot O'Connor: "CRIME Linux (sorta) Advanced Topic Talk Wed June 19th"
Maybe in reply to: Lyle Leavitt: "CRIME EarthLink Password Security Story"
Next in thread: Sarah Mocas: "Re: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 12:00:22 PDT