[OT] Security question

Marko Rauhamaa marko at pacujo.net
Fri Dec 30 06:56:46 EST 2016


Anssi Saari <as at sci.fi>:

> "Frank Millman" <frank at chagford.com> writes:
>> To my surprise, they sent me my existing username *and* my existing
>> password, all in clear text.
>
> I'd say it depends on what the password is actually used for. You seem
> to indicate it's just so you can access the internet? To me it seems
> abusing that password is hard to impossible since it's your fibre to
> your home. If the password is used for access control for anything
> then it's an awful practise.

The message to take home is that whenever you are faced with a password
prompt, the recipient can do with the password whatever they want. You
should assume the worst. The password will be stored in the clear and
all employees of the recipient have free access to it. Also, there's a
high likelihood that the credentials will leak outside the organization.


Marko


More information about the Python-list mailing list