Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
What worries me more is that they are storing the passwords in plaintext.
Umm, how come admins can read passwords? Aren't they salted and hashed? WTF!!!
Does UK law cover "sexual harassment"? Employers in the USA have to worry about defending themselves against claims of sexual harassment, which can be quite broadly construed, even when a customer is the source of the alleged harassment. Anything that someone, somewhere, finds offensive, can be evidence of a "hostile work environment".
Mea navis aericumbens anguillis abundat
From TFA:
A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"
They can't store that clear text if they want to verify it.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
but that's just me
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
I apologize for the shortness of digital temper, I just quit smoking
I'm sorry to hear that your fingers are so testy. Maybe you could hold a pen between them?
Anywho, I'm thinking this is a voice challenge and response with the live telephone customer service agent. They'd pretty much have to have that in plaintext. Hopefully they also use a long PIN number that's stored as a hashed value.
My slashdot password is "digg sucks shit". And they haven't changed it yet.
It's Lloyd's, not Llyod's. Thanks.
In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
Prisencolinensinainciusol. Ol Rait!
Since when does staff have unfettered access to user passwords? The absolute most that the help desk can do is reset the thing, not view it.
Seriously - they got bigger problems than being insulted via password if the friggin' help desk can call up passwords at will and whim.
Quo usque tandem abutere, Nimbus, patientia nostra?
Shit.
Engineering is the art of compromise.
eBay did this for me: Changed my password.
Meg Whitman is a crook.
I read the article and it only reports half the story.
Sure he tells us all about his password and what he is using. But what was his account name?
Modding me -1 troll doesn't make me wrong.
You do if it's a telephone banking password
.
I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."
I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"
God spoke to me.
Which is the same in Australia. If I ring telephone banking they ask me for my password, which they can plainly see (I know, because I forgot it once and they told me I was on character out as a gentle "reminder"). It does seem absurd that my slashdot password is probably more secure than my banking "password". Note that the telephone banking password is different to my online banking password, which appears to be stored encyrypted--as it should be (note that I connot verify this as I do not work for a bank, but my anecdotal evidence confirms it).
...that neither the submitter nor the editor (samzenpus) are able to spell the word 'Lloyds', despite it appearing a number of times in the original article.
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
Tubal-Cain smokes the white owl.
for people questioning why the bank has your password in plaintext, this is because in the UK they have ALL your info in plain text.
Your complete credit card details including 3 digit security code on the back.
Your complete address, maiden name, old addresses etc etc.
They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.
You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
Hey, if it's data stored in my databases, I'll do whatever I please with it.
Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.
--
E_NOSIG
My Dearly Beloved Lloyds customers.
I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.
Thank you sincerely for your cooperation.
Mrs Mariam Abacha, Lagos, Nigeria
When the small dial-up ISP I subscribed to went bust and the liquidators sold the customer base to OzEmail (technically sold a recommendation to migrate to OzEmail) without requiring them to offer identical plans, I voted with my feet and signed up with a competitor with the username 'ozemailisshit'.
When I called up for help/account enquiries at my new ISP I invariably had the phone staff in stitches. About one month after registering I got a call from an administrator asking me if I was using the email address (ozemailisshit@someoneelse.com.au) for business and/or public display - in which case they would request I change it - but I was not and so they allowed me to keep it.
Who changed my password?
The customer does not own his password. As its purpose is to allow access to the services the company provides it is the property of the company. Of course changing it like that was a stupid and childish thing for an employee to do.
Heh, luckily I've never had problems. My password reminders (one which I use for my ISP, who use it to authenticate who I am), is usually something along the lines of...
Who the hell uses password reminders anyway, like come on, isn't there a better way?
So I need to say a line like this every time I talk to them, it often gets a bit of a laugh and provides the call with a little levity.
"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."
I would have then asked for it to be changed to bollox and then proceeded with increasingly vulgar suggestions. Fanny would be a good choice.
Me lost me cookie at the disco.
He should let them set his password to whatever they please . . . for as long as it takes him to clear his money out of there and into another bank.
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
A software algorithm that uses a randomizer would do a better job than the slashdot "editors" in many cases.
2 minutes of effort before posting would fix 90% of the problems most of the time.
Heh. Truly a RTFA moment....They can't store that clear text if they want to verify it.
I read the article. You miss the point. You don't "verify the password". Not over the phone, or over the computer. You verify your identity and reset the password. That's the way good security systems work.
And how do you verify your identity over the phone? With some sort of pre-shared secret. Such as a password.
New pass: "Gagged" It meets the no more than 6 letters condition.
Loyds is Pants? Just what the hell is that supposed to mean? Those Brits really ought to switch their swearing (and spelling!) over to American standards (lest they look foolish to an American audience). Who do they think they are, the inventors of the language or something?
Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).
One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.
You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone
"Ummm, uh, it's fuckyou2dickhead."
I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.
He gave a huge sigh of relief.
Um, what? What kind of writer doesn't know how to use the possessive "its"? It's "rears its ugly head."
Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.
-- Cheers!
Nice to see the editors have a chance to post AC style. Carry on. I'm sure this practice with grammar will improve the proofreading for the next article.
They have a total disregard for security by allowing the support staff to read the passwords.
The customer support people there have a horrific culture of ridiculing their customers. Nasty.
The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.
I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Anyway, what can I say? one typo and one cut and paste (without enough proof-reading) and voilà! one /. submission.
The power of Ego!
This is a multi-billion dollar company. They, along with all the other banks, own Everything. --Correction; they lent the money needed to purchase Everything, and now are owed it all back with interest. God couldn't even pay that bill!
So, poor, poor Lloyds can't handle it when the slaves mutter amongst themselves? Geez! And that's it right there; the same petty fear of Everything (including the most harmless of school-yard slurs), drives their desire to control Everything. Pathetic.
-FL
Your banking auth code isn't necessarily stored as plaintext in the DB. Amazon has my credit card number stored, and I'll be damned if it's in there as 3723-7... I mean, yeah. Anyways, it's in there via a 2-way encryption algorithm - functionally identical to how SSL works, even if the methods involved are completely different.
Now of course I have no way of knowing if they store the phone-in verification codes in some sort of encrypted form, but just because someone at the bank can read it doesn't mean it's STORED as plaintext, it just means it's NOT stored after being put through a one-way hash (md5, sha1, etc). But that's just as true in your bank's DB as on Slashdot's as on that cobbled-together inventory logging system I made a couple years back for a small biz project. If you didn't have a hand in building the system, and said system isn't open-source, you just have to hope and assume that they've done things with a reasonable degree of security. (FWIW I did encrypt the passwords in that thing, even if the rest of the system was clumsy as hell)
How are sites slashdotted when nobody reads TFAs?
PIN number
Yes, a Personal Identification Number number. Is that long enough?
I don't get the person who moderated the parent posting, how on earth was that Trolling? Whom ever moderated is off their rockers.
When I tell people about passwords I always tell them that they need to use a NEW password with each service in case the people at that web site/company look at the password and then use it in identity theft. This makes your privacy more secure. Just don't leave the password information out in the open...
Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.
All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.
And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.
Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.
On the other hand, dual-key cryptography is rather good for security.
It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.
Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)
You enter in the passphrase for your private key. You enter the response back into your website, whatever.
Weaknesses? Not many.
1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.
2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.
3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.
Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Changing customers password without consent?
That sounds a bit like this guy: BOFH
"I find your lack of faith disturbing"
Even in the US, I believe "Lloyd" is the usual form of this name. TFA (the BBC) of course spells it correctly, and includes a photo of the bank's logo.
..try "Lloyds ist toten hosen"
They probably won't change that one.
My bank asks me the jth and kth letters of my password and never (and corresponds regularly to tell me so) asks for my complete password. Whilst this suggests they they do have the plain text stored on their system, could one devise a system that encrypted each letter of the password in some way that did not compromise the security of the stored hashes any more than the original hash?
Assuming a "strong" 8 letter password and two letters for verification it means that there is a 1 in 676 chance of a client guessing correctly in a single operator/client session. Not an unreasonable risk given the securiity that could be built into the session to avoid brute strength attacks.
I am having a bit of a think about it and I can think of a couple of techniques, but I am not sure that they are worthwhile. For example;
Just store the all the encrypted pairs (NC2) where N is password length, assuming 8 characters, only 28 combinations. Can these be stored without compromising the crackability of the whole password? I guess it would but by how much is a bit beyond my thumbnail calculating ability. Or;
Can we build a sufficiently strong transposition cypher so that we can compare specific letter positions encrypted without knowledge of the other letters?
My other bank uses SMS messages with one time codes to do verification. That seems to be very effective.
"The first thing to do when you find yourself in a hole is stop digging."
They should have allowed him/her to set this password as this is a password and needs to be kept secret! Now they are not passwords and the whole world knows about them :)
haha!
At TD Canada Trust, the have an excellent web interface, where you can customize many aspects.
For example, when I load my profile, my greeting message is "DON'T SAY PLEASE FUCKHEAD!" (a quote from Blue Velvet), my credit card account is called "Devil's Due", and my line of credit is called "Slush Funds".
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" :-)
"You are all complete morons"
"That is correct, Sir, thank you"
Insert
Why the FUCK could an employee see the password?
THAT SHOULD NEVER HAPPEN.
"funny or not" isn't the right question to ask here.
The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.
Assorted stuff I do sometimes: Lemuria.org
Does one have "rights" on a website not owned by a government entity? Even in the U.K.? Is there a TOS to support this, or some statement to the contrary? Yes, this sucks and is unprofessional, at best, but I have a hard time believing that you have any right to anything on a website unless you are specifically granted such rights by some particular means. Need more information, without reading TFA, of course.
This is a hacked account, for which the owner can not be held responsible.
Yes, a Personal Identification Number number. Is that long enough?
You think *that's* bad?
I came across my first instance of a "Personal PIN Number" a couple of weeks ago.
Guys, let me clear this up. I have a Lloyds bank account, when you phone their phone banking system, they ask you "Whats your password". May not be secure, but thats how they do it.
So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
And you don't see the problem yet?
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Of course, now when you talk to an operator, you tell them your password. So now we're back to problem 1, albeit with less people having access to it.
So, better yet, how about making you type it on the phone pad? Then their PBX can extract any such keypresses and send them directly to the computer. There is no need for the human operator to ever hear or read that sequence.
So basically, you can jolly well stop pretending that crap security is anything else. Yes, it may require some 5 minutes of thinking to solve those problems, but they _are_ solvable.
This kind of thinking inside the box (basically, "it's been done so before, so I guess we'll have to do the same"), and throwing your hands up in defeat each time it requires more thought than applying verbatim what you already know, is the real problem with security nowadays. Most people don't even bother trying to think about what could go wrong, and how (if at all) it's preventable.
A polar bear is a cartesian bear after a coordinate transform.
The customer misremembered his password as "Lloyds is pants". He rang up to make a transaction, but when he gave his (wrong) password, they said "no its not". He asked to change it to "Barclays is bank", but they weren't sure if it was really him, so they refused. Case solved! And no, I didn't read the article.
At least not anymore.
Hey, it's six letters.
Damn, I must stop posting complete business plans.
America, Home of the Brave.
Or he lives somewhere other than the United Kingdom or Republic of Ireland, and has never travelled to either of those places.
Plc is somewhat analogous to GmbH or LLC elsewhere.
The Future of Human Evolution: Autonomy
.
Two additional things are not acceptable:
3. pants This word can have two meanings if you are from the UK. It either means 1. The British word for panties, underpants, etc 2. Rubbish, bad 1. "I bought some new pants and a matching bra." 2. "This film is pants!"
Isn't it strange/scary/odd that someone is looking at passwords?
On a similar note, every time I have to reboot a Windows box or have to enter a reason for a shut down/restart I enter "Microsoft sucks" or "F%$#k you Bill Gates" (without the censorship)
I think more people should do this. :-)
I would be extremely leery of any security system that allowed _anyone_ to read passwds unless for verbal authentication. Otherwise, they should be always be cryptohashes.
Could such a password be deemed too weak, as it is obvious and the same password is used by many customers?
is the fact that anyone in the company can see customer passwords in the first place. So much for security.
Who knew the Streisand effect applied to passwords as well?
Amazon has my credit card number stored, and I'll be damned if it's in there as 3723-7... I mean, yeah. Anyways, it's in there via a 2-way encryption algorithm - functionally identical to how SSL works, even if the methods involved are completely different.
They don't need to store your credit card number at all. Once they've communicated with Visa (or whichever processor), Visa should send back a unique number. That unique number should key a table in Visa's system that links Amazon to your credit card account. If someone else steals that from Amazon, then Visa would be able to tell that it was the Amazon account that was compromised and destroy only that.
That's a special kind of two factor authentication for a transaction. Yes, it would be possible for someone to steal the unique number, but the only thing that they could do with it would be to transfer money from you to Amazon (or vice versa). They would have to engage in a separate exploit to get the money from you or Amazon. Also, they would have to find a way to spoof as Amazon when using the number. Since Amazon does not communicate with Visa over the internet but via a special serial connection (more like an ISDN line), this would be difficult to do.
Source
You better watch out, there may be dogs about . .
That seems to me like a very fragile assumption.
Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.
You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.
It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.
Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.
A polar bear is a cartesian bear after a coordinate transform.
But it is not as brain dead as in the litigious US of A.
In the UK you'll find there is still some degree of banter in most offices and people know when something is meant as a joke or as an offence, in most cases where involuntary offence is caused an apology will suffice.
Unfortunately US corporate is permeating UK corporate culture by means of European Head Offices of USian companies based in London and other parts of Europe.
These companies bring with them all their legal baggage and I am sad to say that UK people are catching up pretty fast.
IANAL but write like a drunk one.
For slashdot I don't care if somebody gets my password.
For my bank I am willing to take a token, card or whatever makes my account as secure as possible.
IANAL but write like a drunk one.
At one point a had a password with a company that was " sucks" where competitor was the competitors name. The company in question dropped "sucks" off of my password. Pretty sure it was a customer service rep. Probably because she was an uppity bitch.
I am invincible!
Um, who modded this troll? "Holding a pen" + "I am invincible" = Slashdot mods are slugheads.
The "PIN" is taken to be an adjective here. It's the same usage as "password string", "laser light", "microwave radiation", "sonar sound", and "NAT translation". All of those are phrases in which the first word or acronym imply the second word, but they're pretty common phrases.
The PIN is the generic idea of the personal identification number to be entered, and the PIN number is that user's specific string of digits.
I'm glad you had your laugh, though. BTW, why is it still called a CPU if there's more than one?
You don't have the "right" to a secure website and a professional interaction with your bank, no.
Your bank doesn't have a "right" to stay in business after driving off customers either.
a password is a personal piece of information. a CSR's knowledge of your password is a violation of the terms of their privacy policy.
or the simple answer is, have them set it to something simple and change it manually via their web interface later.
They're using their grammar skills there.
'Cause it's in the middle. Duh.
My voice is my passport. Verify me.
At that point I would have chosen, "TOSSER"
I am Bennett Haselton! I am Bennett Haselton!
You explained everything but the most important part. Why are pants offensive? I do not find pants to be offensive at all.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I do hope they don't send this data around on CD's or sell the PC's.
I remember having to create an account with Kodak to get the latest sofware and tried several usernames. "Unhappy Customer" was taken and so was "Angry Customer" so I guess that says it all.
When I worked for a helpdesk for a large ISP in the UK we had a chap with the security phrase:
"Who am I talking to?"
with the answer " scum".
Yes, it's that level of mutual respect that will make helpdesk staff want to talk to you...
And its amazing that the descriptive language to denote one also defines the other...
I use a limited number of random alphanumeric strings that I forced myself to memorize (it was a time consuming "pain-in-the-butt"(TM)® to set up but its pretty secure. The characters are meaningless and they are unguessable and there is an algorithm for the number-letter pairing.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
the obvious misspellings. It's "Lloyds" not "Llyods".
Banks set traps now with fees to essentially "take back" the interest payments made. It's no longer a case of a bank's interest in loans covering the interest they pay out in savings - now fees make up 40% of that revenue.
This has changed the fundamental relationship between most banks and their customers. For example - if I mess up and accidentally make one too many transactions from my savings account, the fee associated with transaction 10 will not only wipe out the interest generated that month, but the two months prior.
The idea that they "pay us" for our money is cute and they'll defend it, but the hidden fees and the contortions required of customers to avoid such fees betray the true profit centers.
You better watch out, there may be dogs about . .
that someone else knew what his password was. That means that they track and can read your password. I don't think that would make me feel comfortable. I would hope that passwords were stored encrypted and not decryptable by staff.
Only 'flamers' flame!
Does slashdot hate my posts?
Last year, a fairly intelligent college student who worked for me managed to lock himself out of an account by failing to notice that caps lock was engaged.
That's not really being a password idiot, but it is kind of an airhead thing to do.
told him we could unlock it by calling the help desk together and providing the correct password over the phone.
YOU are a password-idiot. Rule #1 of passwords: never divulge your password to anyone for any reason.
Besides, if the help desk asked for his password they would be truly incompetent. Not only would they be asking somebody to break Rule #1 of passwords, but they'd be breaking Rule #2 of passwords: Never store a password in plain-text. Store only the hash.
What you should have told him is to tell the help desk that he had forgotten his password, and then follow the procedures to get it reset and changed.
He very sheepishly confided that his password was [ourcompanyname]sucks.
That does indeed imply that he was a password-idiot. He broke rule #1.
I advised him to pick a more-appropriate password
And by "more appropriate" I hope you mean, "more secure than something that could be guessed within 10 times" not "less offensive." Rule #3 of passwords: Do not use actual words as your password. They are vulnerable to dictionary attacks. 1337ing of words doesn't help either, as they are easy to implement in said dictionary attacks. Start with long passphrases, then use the initials of the words. You may 1337 that to get a few digits in. Since you started with multiple passphrases, you already have some capital letters sprinkled in.
but watched him more closely after that. A month later I caught him stealing from the company.
You are fucking retarded. You're implying that somebody's choice of password is a good indicator of their honesty? Do you also hire a phrenologist to help out on interviews?
A few months later I discovered that [username][a-racial-slur] came up in the autocomplete list for the username field on a computer used by a manager who works for me. He apparently didn't press the tab key hard enough after entering his username.
He is indeed a password idiot. Rule #4 of passwords: Pay attention when you type it. You don't want somebody looking over your shoulder to see the password that you are typing in. And for that matter, Rule #5 of passwords: If you ever have any reason to believe your password has been compromised, change it. Even if there's only a small chance of that happening. Once he noticed he didn't type it correctly, he should have cleaned the browser cache AND changed the password, just in case someone did see him type.
we had a long talk about maintaining a harassment-free workplace.
YOU are a fucking PC-enabler (which happens to be the worst thing I've called you so far). He wasn't harassing anyone, he was entering a password no one was ever meant to see. A harassment-free workplace doesn't mean the institution of the thought-police. Even if he had actually said the slur out loud without a racist context to it, it wasn't harassment. Maybe he was making fun of the slur, and of racist idiots who use it. Maybe he was telling a story of somebody else who used the slur. That's not fucking harassment.
Both people were, on the surface, intelligent, productive employees. But both of them thought of their passwords as their private information that would never be learned by anyone else.
And they were both correct in their assumption. Passwords are private information that will never be learned by anyone else. If they are stored in plain text at your company, sue the company for negligence (as somebody else could see your password, use your account to do something
This is a case of cumulative disaster, frankly. These guys have done a whole bunch of not-so-smart things that together combine into real stupidity -- they are advocating both password sharing and they are allowing a help desk person to INTERPRET a plaintext password. Not to mention instantiating password polices requiring a single dictionary word with a limit of 6 characters!
This means that punctuation probably doesn't count. Capitalization doesn't count. Spelling probably doesn't count. If an attacker can come up with a reasonably approximate phonetic representation of the password, then chances are, the help desk will assume the caller is the right person. After all -- if there was a requirement for an exact match, then the help desk person could just type in exactly what the user tells them and get a yes/no answer back without ever seeing the password, and the plaintext requirement wouldn't exist.
Once you have the password for account viewing, how much money do you want to bet that a significant proportion of customers use the SAME password for all their other activities with the bank? But don't worry -- that second, possibly identical password is protected with "full security procedures"...
don't mess with those geekgrrls
Back when I was doing tech support for Worldnet dialup internet, we could change people's passwords when requested (and we could also just read off what it's currently set to). I got a call once from someone saying they couldn't log in, and wanted me to read off their password. After the usual verifying security, I gave 'em their password... which was at the moment set to... umm... let's just say another way of saying "homosexual lover", since putting the actual password would likely set off the swear filter. Yeah, THAT was an awkward call.
The system logs the tech's login for any changes made to an account, so it was easy to see what happened. Someone, on their last day of work, changed some people's passwords to either racist, homosexual, or other various types of things.
Because of that incident, they stopped us from being able to either read passwords, or even create them to what someone wanted. If someone forgot a password, we could randomly generate a new one. That's it.
Planet Zebeth - Metroid with a twist
Comment removed based on user account deletion
Now, I'm not about to do something crazy like RTFA, but.....
Beyond the fact that the password was changed, how did the rep see it? Was he going through all the accounts looking at the passwords and see this one?
--
My parents went to Slashdot and all I got was this lousy sig.
So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
How is this different from withdrawing cash from the bank in person? All you are doing is verifying your identity to a bank employee who could drain your entire account without a password. Just like the bank clerk does not have to ask you to enter a password before they give you money.
My company provided a random 3-character prefix and I selected a 3-character suffix to generate my password. They provided:
MEF
to which I was compelled to complete:
UCK
and then later had to call for my password. The clerk became embarrassed, but so did I and we had a good laugh.
I did take the risk of asking her out for a date and she accepted. We are now married.
Being a geek perv does pay off on occasion so there is hope Slashdotters.
When I worked at a major IT firm we had an online training we all had to complete annually.
It was written in flash and had logons that required userids and passwords.
A year after it went live we had an email asking us to complete the training again, along with a complete list of names, usernames and the password we had picked.
Entries were varied.
passwords: "cunt". "W". "A". "". "password". Partners name. Work colleagues names (of both sexes, and in one case tellingly showing a male (firmly closeted) person who used another male colleagues name as his password.
I pointed out that no password should have been stored in plain text (duh!). Given a large portion of our work was security related no-one thought this important. "its an online training system - it does not matter".
FFS. So you have now compromised pretty much every other system as many used the same user id and password used on other systems.
Seems ironic, given that Websters defines "icon" as "a religious image painted on a small wood panel".
TFA points out that this is telephone banking. Really, read TFAs once in a while and don't rely on summaries approved by editors who cannot spell a word as simple as Lloyds.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
The comment by Cassius Corodes is undereducated and misleading. There are a myriad of reasons besides whether or not the operator will be in the loop (which should only be guaranteed if the caller provides the correct password anyhow) that I'm sure other responders have already pointed out. Please mod it down.
I point anyone who likes to believe that slashdot readers are more open-minded and/or intelligent than the rest of the web community to this exchange.
In fact I'd put pressure on companies providing services to have a higher standard with passwords such as ensuring that they are always stored encrypted, and that their personnel can't read them under any circumstances not even when debugging.
Now that's not always possible with phone in services where they want you to identify yourself to them using a password. Then it's in the clear on the phone and within ear shot. In this case the company should log which of their people saw or hear the password. This is usually possible with customer service records.