Full Disclosure mailing list archives
Re: SMC Router safe Login in plaintext
From: Justin <justin-fulldisclosure () soze net>
Date: Thu, 4 Sep 2003 13:28:58 +0000
Paul Schmehl (2003-09-04 01:09Z) wrote:
[blah blah sbcglobal and att.net are allegedly moronic]
According to the sbcglobal website, the procedure for changing a forgotten password does not include getting the old one announced over the phone. You need the telephone number of the account, last-4 of both the credit card and account number. This is not terribly good, but at least information from your old password can't be exposed even if you get this information for someone's account (and let's face it, stealing someone's sbcglobal bill and looking for cc receipts in their garbage is not rocket science.)
Answer: they don't need to know your old password to change your password. It's called permissions, and privileged access. As root, or a priveleged user, I can change anyone's password without having to know the old one.<sarcasm mode="on">No, really? I would have never guessed.</sarcasm>Think about it.OK, I thought about it. Now what do I do?
Find another job.
BTW, when I say "tell you what your password is", what I mean is something like this, "Mr. Schmehl, your password is 1234qwer. Are you sure you're typing it right?"
Brilliant. No matter what security information is required (SSN, isp account number, credit card number), giving out passwords leaks information. Even if a password is throw-away, giving it out to 3rd parties is worse than allowing third parties to change it, since it gives others an idea about what form you use for throw-away passwords. It also gives a rough sense of how secure your passwords are, and what sort of passwords you might use for more and less important accounts. People wonder why identity theft is such a problem. People aren't responsible for maintaining their identities anymore. If you don't maintain an identity (by remembering and keeping secret important bits of information), how do you expect it to be difficult for someone else to take it over? If corporate institutions don't require you to maintain an identity, nobody can maintain one recognized by corporate america. Companies have no incentive to require maintenance of identities. It hurts business, and at least financial companies are protected as long as they follow government requirements. -- No man is clever enough to Times are bad. Children no longer know all the evil he does. obey their parents, and everyone -Francois de la Rochefoucauld is writing a book. -Cicero _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: SMC Router safe Login in plaintext, (continued)
- RE: SMC Router safe Login in plaintext Schmehl, Paul L (Sep 03)
- RE: SMC Router safe Login in plaintext Nathan Rotschafer (Sep 03)
- Re: SMC Router safe Login in plaintext Kim Scarborough (Sep 03)
- Re: SMC Router safe Login in plaintext C. Church (Sep 03)
- Re: SMC Router safe Login in plaintext KF (Sep 03)
- Re: SMC Router safe Login in plaintext Jeremiah Cornelius (Sep 03)
- Re: SMC Router safe Login in plaintext Irwan Hadi (Sep 04)
- Re: SMC Router safe Login in plaintext KF (Sep 04)
- Re: SMC Router safe Login in plaintext morning_wood (Sep 04)
- RE: SMC Router safe Login in plaintext Schmehl, Paul L (Sep 03)
- Re: SMC Router safe Login in plaintext Paul Schmehl (Sep 03)
- Re: SMC Router safe Login in plaintext Justin (Sep 04)
- Re: SMC Router safe Login in plaintext Nicolas Couture (Sep 05)