Seth Arnold wrote: >It is possible for them to not have plaintext access to your password >and still use this authentication method -- the tech could type it into >a text box somewhere and get a "YES/NO" response back. (Not likely, I >fully expect them to have plaintext passwords available, but the >possibility exists for them to Do It Correctly. :) > That still is not even close to correct. It has two big problems: 1. (modest problem) The service tech. now has your password. With high probability, the user uses the same password everywhere. Much better for the tech to reset the password to something and tell you what it is. 2. (BIG problem) The social engineering attack. Attacker phones you & says "I'm from tech support, and I need your password ..." Users have been trained for years to NEVER give their password to ANYONE, for this reason. Corrollary: tech support should never ask for or accept a password, they should just remind the user to never tell their password to anyone. So the "tell me, yes/no" hack is nearly as dangerous as having full text access to the password file. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:31:36 PDT