[OT] Security question
rosuav at gmail.com
Thu Dec 22 04:49:46 EST 2016
On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <frank at chagford.com> wrote:
> To my surprise, they sent me my existing username *and* my existing
> password, all in clear text.
> Thank you for taking the time to contact [...] Technical Mail Support.
> I understand the importance of your password inquiry and will gladly assist.
> Please note our Password protocols are secured via OTP.
> This means nobody else can register or request your password as it will only
> be sent to the cellphone number we have registered for the OTP service on
> our side.
> If somebody else requests a reminder of the password, it will be sent to
> your cellphone as your number is registered for the OTP service.
> I hope this clarifies the matter.
> They did not comment on the second part of my query.
> Does their reply sound reasonable, or are my concerns valid?
Your concerns are entirely valid. Somehow, the information of your
password got sent to you, which means that anyone who can "reach in"
at some point between where it's stored and where it's sent can leech
everyone's passwords. Game over.
If they were sending you a *new* password ("we have generated this
password, please log in and change it"), then it would be entirely
acceptable - a mobile phone text message is a decent out-of-band way
to deliver that kind of information. But to have your existing
password? No sir, no thank you, I will have none of that.
Name and shame the ISP. This kind of thing is insidious (because
usually nobody will know until it's way, WAY too late) and extremely
dangerous. Call them out on it.
More information about the Python-list