[OT] Security question
Frank Millman
frank at chagford.com
Thu Dec 22 05:10:40 EST 2016
"Chris Angelico" wrote in message
news:CAPTjJmoQK39EU=M3w1zr8Xa7MYv42KYN4mXPRgQMye4rGa+X4A at mail.gmail.com...
>
> On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <frank at chagford.com> wrote:
> > To my surprise, they sent me my existing username *and* my existing
> > password, all in clear text.
> >
>
> Your concerns are entirely valid. Somehow, the information of your
> password got sent to you, which means that anyone who can "reach in"
> at some point between where it's stored and where it's sent can leech
> everyone's passwords. Game over.
>
> If they were sending you a *new* password ("we have generated this
> password, please log in and change it"), then it would be entirely
> acceptable - a mobile phone text message is a decent out-of-band way
> to deliver that kind of information. But to have your existing
> password? No sir, no thank you, I will have none of that.
>
> Name and shame the ISP. This kind of thing is insidious (because
> usually nobody will know until it's way, WAY too late) and extremely
> dangerous. Call them out on it.
>
Thanks, Chris, good to know I am not going mad!
What about the second part of my query? Is it acceptable that they keep
passwords on their system in clear text?
>From my first encounter with Unix over 30 years ago I was impressed with the
fact that no passwords are stored in clear text. Even with my own little
accounting system, I only store the SHA-1 hash of the password. I cannot
imagine why anyone would think that this is a good idea.
The ISP is MWEB, one of the biggest service providers in South Africa, with
(I guess) millions of users.
If this is the standard of security out there, it is no wonder we hear of so
many attacks (and how many don't we hear of?)
Frank
More information about the Python-list
mailing list