Whoa! Mike, you found another sore spot. I did a Google search for attbi.+com + portland I selected several email addresses from the results. I then tried logging into their email with password as the password. Sure enough I got in 2 out of the 8 that I tried. I have contacted a local TV station about this problem. I figure these users that have never bothered changing their password are obviously not reading Security Focus. Maybe I can get their attention on the 11 o'clock news. Maybe I need a commercial spot during the Simpsons. This is turning into a full-time campaign. -Lyle "Myers, Mike" wrote: > > Which reminds me... > > The tech (AT&T contractor) who set up a cable modem for me graciously > selected "password" as my initial password. Being fairly paranoid I went to > change it immediately upon his departure. When I entered my name, I > mistyped it and lo and behold, I logged in...to someone else's account with > the password "password". This was a fellow in Plano Texas with a similar > name to my own. I had his address and phone and could have set up his > account (including email) if I'd wished...I thought about calling him but I > figured it would just confuse him... > > If attbi has the plain text stored they might want to see how many of them > are "password". I thought about trying to login as "john.smith", > "bob.jones", etc. with "password" just to see how far I could get but > decided they may have something watching failed logins and I didn't really > want to be tagged with that... > > Another story for Security Focus anyone? :) > > Cheers, > - Mike.Myers@private-lmco.com > > -----Original Message----- > From: MAGEE Rob [mailto:Rob.Magee@ODE-EX1.ODE.STATE.OR.US] > Sent: Tuesday, June 18, 2002 7:15 AM > To: CRIME > Subject: RE: CRIME EarthLink Password Security Story > > The same policy is in force at ATTBI's support group. > Two days ago I was asked for my password. > > -----Original Message----- > From: Lyle Leavitt [mailto:lylel@private] > Sent: Monday, June 17, 2002 4:38 PM > To: CRIME > Subject: CRIME EarthLink Password Security Story > > FYI, the EarthLink password security story ran today at Wired News: > > http://www.wired.com/news/privacy/0,1848,53208,00.html
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 05:16:12 PDT