| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: justin-fulldisclosure at soze.net (Justin) Subject: SMC Router safe Login in plaintext Paul Schmehl (2003-09-04 01:09Z) wrote: > [blah blah sbcglobal and att.net are allegedly moronic] According to the sbcglobal website, the procedure for changing a forgotten password does not include getting the old one announced over the phone. You need the telephone number of the account, last-4 of both the credit card and account number. This is not terribly good, but at least information from your old password can't be exposed even if you get this information for someone's account (and let's face it, stealing someone's sbcglobal bill and looking for cc receipts in their garbage is not rocket science.) > >Answer: they don't need to know your old password to change your password. > >It's called permissions, and privileged access. As root, or a priveleged > >user, I can change anyone's password without having to know the old one. > > > <sarcasm mode="on">No, really? I would have never guessed.</sarcasm> > > >Think about it. > > OK, I thought about it. Now what do I do? Find another job. > BTW, when I say "tell you what your password is", what I mean is something > like this, "Mr. Schmehl, your password is 1234qwer. Are you sure you're > typing it right?" Brilliant. No matter what security information is required (SSN, isp account number, credit card number), giving out passwords leaks information. Even if a password is throw-away, giving it out to 3rd parties is worse than allowing third parties to change it, since it gives others an idea about what form you use for throw-away passwords. It also gives a rough sense of how secure your passwords are, and what sort of passwords you might use for more and less important accounts. People wonder why identity theft is such a problem. People aren't responsible for maintaining their identities anymore. If you don't maintain an identity (by remembering and keeping secret important bits of information), how do you expect it to be difficult for someone else to take it over? If corporate institutions don't require you to maintain an identity, nobody can maintain one recognized by corporate america. Companies have no incentive to require maintenance of identities. It hurts business, and at least financial companies are protected as long as they follow government requirements. -- No man is clever enough to Times are bad. Children no longer know all the evil he does. obey their parents, and everyone -Francois de la Rochefoucauld is writing a book. -Cicero
Powered by blists - more mailing lists