For security purposes, customer service needs to see your password
-
RCN desk agent just read me my account password back. from her end. in plain text. "oh dont worry, we can't see anything on your account"
@RCNconnects@SwiftOnSecurity
#infosec #securityfail #areyoukiddingmeReplying to
@lomgrim
and
@SwiftOnSecurity
Hello! We understand your concern. Customer security is of the highest importance to us. Agents need to see this password to verify account ownership when certain changes are requested. We will pass your feedback along. -Jackie
-
I really hope this gains some traction.
-
@JazzyJosh That's ringing bells for some reason - I'm sure there was another company that had exactly the same excuses.
A search for obvious terms isn't turning up anything...
-
@PJH said in For security purposes, customer service needs to see your password:
A search for obvious terms isn't turning up anything...
Found it:
Translation
For the sake of simplicity, individual passwords are reversibly encrypted for the customer, eg the e-mail passwords. This can be viewed by the customer in the customer center. Our customer service does not have access to plain text passwords. Greetings Jana K.
And on here:
News from the time:
-
For a while Sirius Radio did that (and maybe still do, I don't know). About 10 years ago I called their tech support because my username and password for the Internet radio access wasn't working. The person on the phone helpfully read out my username and password to check if that was what I was using to log in. Yikes. And that's why I always try to use my least secure password first when signing up on unimportant websites.
-
@quijibo said in For security purposes, customer service needs to see your password:
And that's why I always try to use my least secure password first
Only one? Let me guess, it's
hunter2
.
-
The only way to have a truly secure password is one that nobody knows. That's why I use a password manager and 63-character alphanumeric strings.
-
@ben_lubar said in For security purposes, customer service needs to see your password:
That's why I use a password manager and 63-character alphanumeric strings.
-
@ben_lubar said in For security purposes, customer service needs to see your password:
The only way to have a truly secure password is one that nobody knows.
A password that nobody knows would be a burn-before-reading password.
-
@quijibo said in For security purposes, customer service needs to see your password:
And that's why I always try to use my least secure password first when signing up on unimportant websites.
I take the opposite approach: I always try to use my most secure* password first when signing up on unimportant websites.
Spoiler
*...because I've never used it anywhere else.
-
@Rhywden said in For security purposes, customer service needs to see your password:
@ben_lubar said in For security purposes, customer service needs to see your password:
The only way to have a truly secure password is one that nobody knows.
A password that nobody knows would be a burn-before-reading password.
Well, it depends on whether you consider computers human. If you don't, then most password manager users use passwords that literally nobody knows.
-
@Gąska said in For security purposes, customer service needs to see your password:
@Rhywden said in For security purposes, customer service needs to see your password:
@ben_lubar said in For security purposes, customer service needs to see your password:
The only way to have a truly secure password is one that nobody knows.
A password that nobody knows would be a burn-before-reading password.
Well, it depends on whether you consider computers human. If you don't, then most password manager users use passwords that literally nobody knows.
Well, I know some of them. I've had to hand-type my Gmail password, for example, enough times that I have a fair shot at remembering it.
-
@sloosecannon if you could remember it, I'd either look for a better password generator, or a psychiatrist.
-
@Gąska said in For security purposes, customer service needs to see your password:
@sloosecannon if you could remember it, I'd either look for a better password generator, or a psychiatrist.
AFEBB01AA3. This password is burned into my memory, apparently, because it was part of the data from before the personality split event.
Good for trusted people to know, it's one of the core authentication token pieces for authorization if ever I stop remembering things and need a trusted source for guidance.
Well, maybe not anymore. We'll see what happens if that ever happens, I guess...
-
@Gąska said in For security purposes, customer service needs to see your password:
@sloosecannon if you could remember it, I'd either look for a better password generator, or a psychiatrist.
My son has entered our 20 character wifi password into enough devices he has memorized.
-
https://www.youtube.com/watch?v=bLE7zsJk4AI
Edit: That one is 21 characters tho....
-
@ben_lubar said in For security purposes, customer service needs to see your password:
<Image: [password] shouldn't contain [...] anything that would be in your wallet>
ERROR: Password not secure enough, number '1' was found in your wallet.
@Tsaukpaetra said in For security purposes, customer service needs to see your password:
AFEBB01AA3. This password is burned into my memory, apparently, because it was part of the data from before the personality split event.
I still remember my Windows '98 password. Most useless memory ever. Specially because it seems read-only.
-
@Flips said in For security purposes, customer service needs to see your password:
Most useless memory ever. Specially because it seems read-only.
Aren't ROMS great?
-
I'll stop by their HQ later this week for some "re-education".
-
@Flips said in For security purposes, customer service needs to see your password:
Most useless memory ever.
I still remember my grandmother's phone number. My grandmother has been dead for over 30 years.
-
@HardwareGeek said in For security purposes, customer service needs to see your password:
@Flips said in For security purposes, customer service needs to see your password:
Most useless memory ever.
I still remember my grandmother's phone number. My grandmother has been dead for over 30 years.
I still remember my Grandma's phone number because it hasn't changed since my Dad was born. (It's on a cell phone now instead of a black rotary phone, though.)
-
@Gąska said in For security purposes, customer service needs to see your password:
@sloosecannon if you could remember it, I'd either look for a better password generator, or a psychiatrist.
I need to know or have a note of at least one password, because I do need to be able to get my KeePass database from the backup somehow in the case everything goes TITSUP at some point and I lose the local files.
In my case it's my Google account password. I do have 2FA enabled, though (INB4 that bites me on the ass at some point when I manage to lose my phone or something).
-
@Onyx said in For security purposes, customer service needs to see your password:
I need to know or have a note of at least one password, because I do need to be able to get my KeePass database from the backup somehow in the case everything goes TITSUP at some point and I lose the local files.
Why not just have a physical key for that? Store your backup "password" on a USB stick or something and then put it in a fireproof safe or something.
-
@Onyx said in For security purposes, customer service needs to see your password:
I do have 2FA enabled, though (INB4 that bites me on the ass at some point when I manage to lose my phone or something).
Or have someone else convince the phone company that you lost it and the number transferred to a new phone. (And then my coworker had to change passwords on all his bank/credit cards. And change his phone number because the telco couldn't reassign it back.)
-
-
@ben_lubar said in For security purposes, customer service needs to see your password:
@Onyx said in For security purposes, customer service needs to see your password:
I need to know or have a note of at least one password, because I do need to be able to get my KeePass database from the backup somehow in the case everything goes TITSUP at some point and I lose the local files.
Why not just have a physical key for that? Store your backup "password" on a USB stick or something and then put it in a fireproof safe or something.
Password for what? Recovery email? Because something in a safe ain't gonna sync with my main database. Also, I have logins for servers that don't really have "send recovery email" option, it's more of a "contact the IT department in that company and ask for reset". If I need to access any of it when not at home/at the office it's way easier to be able to access my database file and use a portable version of KeePass to read it than anything else.
@dcon said in For security purposes, customer service needs to see your password:
Or have someone else convince the phone company that you lost it and the number transferred to a new phone. (And then my coworker had to change passwords on all his bank/credit cards. And change his phone number because the telco couldn't reassign it back.)
Well, they still need to know the password, but since it's not "FirstpetnameYearofbirth", and Google has at least some bruteforce prevention in place, good luck.
-
@Onyx
It is Hunter2 isn't it?
-