"Chris Angelico" wrote in message
news:CAPTjJmoQK39EU=m3w1zr8xa7myv42kyn4mxprgqmye4rga+...@mail.gmail.com...
On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <fr...@chagford.com> wrote:
> To my surprise, they sent me my existing username *and* my existing
> password, all in clear text.
>
Your concerns are entirely valid. Somehow, the information of your
password got sent to you, which means that anyone who can "reach in"
at some point between where it's stored and where it's sent can leech
everyone's passwords. Game over.
If they were sending you a *new* password ("we have generated this
password, please log in and change it"), then it would be entirely
acceptable - a mobile phone text message is a decent out-of-band way
to deliver that kind of information. But to have your existing
password? No sir, no thank you, I will have none of that.
Name and shame the ISP. This kind of thing is insidious (because
usually nobody will know until it's way, WAY too late) and extremely
dangerous. Call them out on it.
Thanks, Chris, good to know I am not going mad!
What about the second part of my query? Is it acceptable that they keep
passwords on their system in clear text?
From my first encounter with Unix over 30 years ago I was impressed with the
fact that no passwords are stored in clear text. Even with my own little
accounting system, I only store the SHA-1 hash of the password. I cannot
imagine why anyone would think that this is a good idea.
The ISP is MWEB, one of the biggest service providers in South Africa, with
(I guess) millions of users.
If this is the standard of security out there, it is no wonder we hear of so
many attacks (and how many don't we hear of?)
Frank
--
https://mail.python.org/mailman/listinfo/python-list
