This Wired article reports that Eartlink will start allowing tech support staff to see users’ passwords. As the article points out, this means they are (or will be) storing passwords as plain text, instead of storing the encrypted hash. My question is, is this a common practice on on-line systems? Does vBulletin, for example, store passwords as plain text? I know UNIX stores the hash, and I sort of assumed that every system does the same thing.
the passwords wont neccesarily be stored as plaintext. intsead of a proper hash, they will likely be encrypted then decrypted for tech personell.
on a side note this is a very bad idea. tech personell should be able to change passwords but not view them. especially with the tendency to use one password for many things (i catch myself doing that).
VERY bad idea on part of earthlink. typically, tech support people are unmotivated and have no loyalty towards the company and would have no hesistation in pawning off the password. Plus, most people use their password as their password to EVERYTHING including stuff like emails and ebanking. knowing a users habits and username and you could gain access to almost anything.
Ah, that makes sense. So the risk of the passwords getting stolen by hackers isn’t much higher. Still I agree it’s a bad idea.
Passwords should always be stored with a one-way encryption (like Unix (and likely NT/Win2K/XP) does). An admin should never should be able to see a user’s passwords.
Unfortunately, it’s not uncommon (even with modern technology) for passwords to be stored either unencrypted or encrypted, but easily unencrypted. In fact the SDMB was hacked (last year IIRC) and an email was sent out to all users saying that the security of their passwords could not be guaranteed.
It’s a stupid idea. I can’t think of a single reason for an admin to see a password. Change it, sure. But if someone has forgotten (even assuming there isn’t already a mechanism already in place) have it generate a random password. If the user wants to use his old one, he shouldn’t have forgotten it in the first place, and can change to it later anywa.
Extremely stupid idea. It’s not hackers that I’m worried about; it’s Earthlink’s own employees.
2RwS: WinNT SAM stores hashes only; Win2000 Active Directory stores hashes by default and has an option of storing encrypted passwords as well.
vBulletin stores its passwords in plaintext in the database. Dumb.