Seth Arnold wrote:
>It is possible for them to not have plaintext access to your password
>and still use this authentication method -- the tech could type it into
>a text box somewhere and get a "YES/NO" response back. (Not likely, I
>fully expect them to have plaintext passwords available, but the
>possibility exists for them to Do It Correctly. :)
>
That still is not even close to correct. It has two big problems:
1. (modest problem) The service tech. now has your password. With
high probability, the user uses the same password everywhere. Much
better for the tech to reset the password to something and tell
you what it is.
2. (BIG problem) The social engineering attack. Attacker phones you
& says "I'm from tech support, and I need your password ..."
Users have been trained for years to NEVER give their password to
ANYONE, for this reason. Corrollary: tech support should never ask
for or accept a password, they should just remind the user to
never tell their password to anyone.
So the "tell me, yes/no" hack is nearly as dangerous as having full text
access to the password file.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:31:36 PDT