[OT] Security question

Frank Millman frank at chagford.com
Thu Dec 22 05:10:40 EST 2016


"Chris Angelico"  wrote in message 
news:CAPTjJmoQK39EU=M3w1zr8Xa7MYv42KYN4mXPRgQMye4rGa+X4A at mail.gmail.com...
>
> On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <frank at chagford.com> wrote:
> > To my surprise, they sent me my existing username *and* my existing
> > password, all in clear text.
> >
>
> Your concerns are entirely valid. Somehow, the information of your
> password got sent to you, which means that anyone who can "reach in"
> at some point between where it's stored and where it's sent can leech
> everyone's passwords. Game over.
>
> If they were sending you a *new* password ("we have generated this
> password, please log in and change it"), then it would be entirely
> acceptable - a mobile phone text message is a decent out-of-band way
> to deliver that kind of information. But to have your existing
> password? No sir, no thank you, I will have none of that.
>
> Name and shame the ISP. This kind of thing is insidious (because
> usually nobody will know until it's way, WAY too late) and extremely
> dangerous. Call them out on it.
>

Thanks, Chris, good to know I am not going mad!

What about the second part of my query? Is it acceptable that they keep 
passwords on their system in clear text?

>From my first encounter with Unix over 30 years ago I was impressed with the 
fact that no passwords are stored in clear text. Even with my own little 
accounting system, I only store the SHA-1 hash of the password. I cannot 
imagine why anyone would think that this is a good idea.

The ISP is MWEB, one of the biggest service providers in South Africa, with 
(I guess) millions of users.

If this is the standard of security out there, it is no wonder we hear of so 
many attacks (and how many don't we hear of?)

Frank




More information about the Python-list mailing list