Changing Customers Password Without Consent

← Back to Stories (view on slashdot.org)

Changing Customers Password Without Consent

Posted by samzenpus on Wednesday August 27, 2008 @04:09PM from the leave-my-words-alone dept.

risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

108 of 435 comments (clear)

Plaintext passwords? by MiKM · 2008-08-27 16:12 · Score: 5, Insightful

What worries me more is that they are storing the passwords in plaintext.
1. Re:Plaintext passwords? by Al+Dimond · 2008-08-27 16:16 · Score: 5, Funny
  
  And I thought I had a shot at getting this in first...
  Maybe he should make his new password "Lloyds security is pants"
2. Re:Plaintext passwords? by chill · 2008-08-27 16:18 · Score: 4, Informative
  
  From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
3. Re:Plaintext passwords? by Chees0rz · 2008-08-27 16:25 · Score: 2, Interesting
  
  Today I forgot my Hertz Gold Club membership (comes with the job) password. Guess what button I got to press...
  
  "Email me my password"
  
  I said no... no... it'll be a new password...
  
  And what did I get in my inbox now 2 minutes later...?
  
  I cringed like hell.
4. Re:Plaintext passwords? by Anonymous Coward · 2008-08-27 16:32 · Score: 4, Informative
  
  My bank has a password to verbally verify over the phone. It's the street I grew up on, so I just say Cottage Rd. But seriously, I have to say my street name every time, and I assume the operator is looking at it to verify. I doubt they're going to type it in an verify the hashes.
5. Re:Plaintext passwords? by Psychotria · 2008-08-27 16:44 · Score: 5, Funny
  
  That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!
6. Re:Plaintext passwords? by brianjlowry · 2008-08-27 16:51 · Score: 5, Funny
  
  You act like they are storing important information in the DB... like it is a BANK or something.
7. Re:Plaintext passwords? by Firehed · 2008-08-27 16:56 · Score: 2, Informative
  
  Not only is it being stored in plaintext (or at least not as a one-way hash), but presumably it's also visible in the administrative interface to the site. Does <input type="password" /> not have any meaning in those parts?
  
  --
  How are sites slashdotted when nobody reads TFAs?
8. Re:Plaintext passwords? by zobier · 2008-08-27 17:01 · Score: 2, Interesting
  
  The same thought occurred to me, however would you trust an operator not to make a typo or know e.g. the difference between its and it's; would you even trust their internal system to be safe from an SQL injection?
  
  --
  Me lost me cookie at the disco.
9. Re:Plaintext passwords? by QuantumG · 2008-08-27 17:02 · Score: 5, Funny
  
  Yes, my voice password is "billy'; drop tables;", type it in muppet!
  
  --
  How we know is more important than what we know.
10. Re:Plaintext passwords? by beav007 · 2008-08-27 17:32 · Score: 4, Informative
  
  Wait, what? When was the last time you typed your password hash into a website? That doesn't mean that your passwords are stored in plain text.
  
  When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.
  
  GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.
  
  Of course, this is not a given.
11. Re:Plaintext passwords? by EdIII · 2008-08-27 17:42 · Score: 5, Informative
  
  It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.
  The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
  Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.
12. Re:Plaintext passwords? by tsa · 2008-08-27 17:44 · Score: 2, Interesting
  
  My former ISP mailed me my password in a letter (on paper!) in big black letters every time I changed it.
  
  --
  -- Cheers!
13. Re:Plaintext passwords? by Anonymous Coward · 2008-08-27 17:52 · Score: 3, Insightful
  
  any geek worth his geek card knows that was from xkcd anyway
14. Re:Plaintext passwords? by AuMatar · 2008-08-27 18:04 · Score: 4, Funny
  
  I prehash all my passwords. That way only the hash of the hash is stored in their db. Its more secure that way.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
15. Re:Plaintext passwords? by Firehed · 2008-08-27 18:17 · Score: 4, Interesting
  
  I've had more than one website email me my password if I hadn't logged in after a week or two. Because obviously I wasn't logging in due to having forgotten the same password I use at half the websites on the internet, rather than the site sucking. Suffice to say, I've deleted my accounts at all sites where that's occurred. I wouldn't be at all surprised to see several of them vulnerable to SQL injections and I'm sure all of them did nothing but flip the 'account_active' column bit, but I felt better for a few minutes at least.
  Wordpress has a pretty good forgotten password system - it emails you a unique link (something like changepass.php?user=firehed&verify=asdf903jfo2i3jf) and you get your new password form. It's never revealed in plaintext. I hope more sites adopt something along those lines - seeing my password in plaintext anywhere always freaks me out a bit. Then again, I've seen it hashed as md5 and sha1 enough times that I could spot probably my account in a 'SELECT id, pass FROM users' result.
  I'm still a bit curious as to how banks haven't yet found a better system for getting you your initial ATM PIN when you get a new card than simply sending it separately from the card. Shouldn't they have some automated dial-in where I punch in the auth code they send me and the last four from my SSN (or MMDD birthday, whatever) as a verification code? If someone is stealing your mail looking for a new card, it wouldn't be difficult for them to also grab that 'discreet' envelope with that starter PIN.
  Security is really quite pathetic these days. No wonder we keep hearing about millions of customer records being lost.
  
  --
  How are sites slashdotted when nobody reads TFAs?
16. Re:Plaintext passwords? by SEMW · 2008-08-27 18:26 · Score: 2, Informative
  
  Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
  What makes you think there wasn't? It's not as if they can't find the culprit due to a lack of logs; the article says they identified and fired them.
  
  --
  What's purple and commutes? An Abelian grape.
17. Re:Plaintext passwords? by Tim+C · 2008-08-27 18:34 · Score: 2, Informative
  
  I don't know about this particular system, but I have dealt with phone systems that ask you for certain letters from your password (e.g. 2nd and 5th, 3rd and 8th, etc). I wouldn't be surprised if this was the same.
  
  --
  It's official. Most of you are morons.
18. Re:Plaintext passwords? by Jedi+Alec · 2008-08-27 18:37 · Score: 5, Funny
  
  From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
  "I am the systems administrator. My voice is my password. Verify me."
  
  --
  
  People replying to my sig annoy me. That's why I change it all the time.
19. Re:Plaintext passwords? by EdIII · 2008-08-27 18:41 · Score: 4, Informative
  
  I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.
  The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.
  So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.
  I thought that was clear from my post.
20. Re:Plaintext passwords? by Bartab · 2008-08-27 18:52 · Score: 2, Informative
  
  Neteller does that as well. If you're not familiar with the company, they're primarily a third party "wallet" service to assist with withdraws and deposits to online gambling sites (poker, sportsbook, etc) Once setup by a user, they have direct connections to bank accounts and credit cards and can charge against those accounts with no further identification than the account password.
  Which is sent cleartext via email upon request.
  
  --
  Any sufficiently advanced technology is indistinguishable from a rigged demo.
21. Re:Plaintext passwords? by Cassius+Corodes · 2008-08-27 19:01 · Score: 5, Informative
  
  RTFA, its a phone banking password - as this is done via a operator, they are going to know the password anyway so its displayed to them.
  
  --
  Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
22. Re:Plaintext passwords? by MrNaz · 2008-08-27 19:03 · Score: 5, Insightful
  
  Unless there is money being paid for accessing the systems
  What, you mean like bank fees?
  
  or there is an existing policy/agreement in place that says the system owners will not mess with passwords
  What, you mean like the legislative requirement that banks give depositors access to their funds?
  
  The people that own the systems have the right to do what they wish with them.
  No, they don't. They doubly don't if it means banking customers' financial services are interrupted.
  Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?
  
  --
  I hate printers.
23. Re:Plaintext passwords? by imdx80 · 2008-08-27 19:16 · Score: 2, Insightful
  
  Not really. The staff is looking at this info in front of a computer, no doubt, so hashing the password, and then requiring the staff to type it in to verify a match would be quite easily possible.
  not really seeing what benefit that will bring, the operator gets to hear the password so they'll get to know it anyhow
  a solution to hiding the passphrase from the opearator would be, for phone banking, asking for particular letters of the pass phrase thats what my bank does
24. Re:Plaintext passwords? by igb · 2008-08-27 19:22 · Score: 4, Interesting
  
  Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator. Online, you supply a username (which is related to you, not to your account) and password, and are then prompted for three characters from a passphrase as pull-down menu items (presumably to make key-loggers a little less useful). The telephone and online systems use different passphrases.
  Now of course this isn't flawless: there are a lot of attacks one can envisage, mostly involving operators always asking for different letters --- ie if they already have three, five and eight, and are prompted to ask for three, five and nine, they ask for four, six and nine, supply three and five from their previous knowledge and now have six letters instead of the four they would otherwise have. By this technique they can get the password in n/3 attempts, less if (as is likely) you don't need all the letters to see what the whole word/phrase is. It's a thin attack given the chances of you arriving at the same operator, or the operator's confederate, that many times, but might be possible as a large conspiracy by a corrupt call centre (LTSB have in recent months re-on-shored all their call centres; make of that what you will). If you fail to authenticate, for whatever reason, you're asked for the same characters next time, so an attacker cannot make repeated attempts hoping to be asked for characters they already have if they don't get a favourable set the first time.
  Some things about this story don't ring true, by the way. Firstly, LTSB have not, to my knowledge as a customer, had a limit on the length of pass phrases either for telephone banking or on-line banking as short as is claimed. The on-line `memorable information' (ie password) is six to fifteen characters, spaces not permitted, and I can't believe the voice system is different.
  There are some things that could be improved. You can change the greeting between given name, given name plus surname and a few other options, but you can't have a custom greeting. That's a powerful phishing prevention mechanism: if I can customise my bank's website to greet me, after supplying my password but before supplying my selected characters from the passphrase, with a picture I supply (say) then that massively ups the problems a phisher faces. I have my passphrase as six random characters (ie knowledge of five doesn't provide the sixth) so that if I'm ever asked for character seven or greater I know something bad is happening, but it's not ideal. But the rest they do well: initial contact URL is https and won't work as http, ie http://online.lloydstsb.co.uk/ doesn't answer, so anyone bookmarking it will bookmark the https. Menus don't accept keyboard accelerators. More if I could think of it before my first coffee. I checked it through pretty thoroughly before signing the ts and cs, and I'm reasonably happy.
  ian
25. Re:Plaintext passwords? by MrMr · 2008-08-27 19:28 · Score: 4, Funny
  
  Now in this case, the choice of the password might be deemed offensive
  When you think a 'plc.' can be offended you are antropomorphizing abstract legal entities. Don't do that; they really hate it.
26. Re:Plaintext passwords? by Lonewolf666 · 2008-08-27 19:49 · Score: 3, Insightful
  
  Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator.
  In this case, the system seems to have a hole somewhere:
  Somehow the operator was able to substitute another password. His choice of new password indicates that he could read the entire old password.
  Unless there are some other safeguards in the system that were not mentioned in TFA, I would be seriously concerned about criminal operators abusing my account (hypothetically speaking, I'm not a customer at LTSB).
  
  --
  C - the footgun of programming languages
27. Re:Plaintext passwords? by CmdrGravy · 2008-08-27 19:57 · Score: 2, Funny
  
  Yes, the best plan is for the staff to have a system, perhaps built by the staff, where the staff can verify the password but without the staff being aware of it. Staff should definitely ensure that staff cannot collude with staff to actually change the customers password on their own ! Customers aren't staff and it's just not right, whatever the staff get up to with staff, in the staff canteen or where ever else is strictly the business of the staff but when it comes to customers who aren't staff well then the staff should have ensured that rules were in place for the staff and being enforced by the staff so the staff couldn't get away with this behaviour with someone who isn't even staff.
28. Re:Plaintext passwords? by ei4anb · 2008-08-27 20:00 · Score: 5, Interesting
  
  That is actually one of the schemes that I use. I have a keyword that I use to generate the password for all websites; I concatenate the keyword and the site's domain name and use an hash of that and allow Firefox to store it. That way I get a different pwd for each site yet I can regenerate it if I need to.
29. Re:Plaintext passwords? by EvilIdler · 2008-08-27 20:17 · Score: 5, Insightful
  
  Uhm..what?! You don't store passwords in plain text, full stop. One-time passwords, alright. Generate one based on your bank card, and give it to the operator. It can't be used again. But a regular password? No way.
30. Re:Plaintext passwords? by Richard_at_work · 2008-08-27 20:24 · Score: 2, Informative
  
  Unless there is money being paid for accessing the systems
  What, you mean like bank fees?
  Most people in the UK do not pay bank fees as we have free banking - they would only pay charges in case of exceptional activity on the account (eg unauthorised overdraft, failed charge etc).
31. Re:Plaintext passwords? by MrMr · 2008-08-27 20:31 · Score: 4, Funny
  
  Seriously. I love to explain jokes.
  Lloyds is a plc.
  Go search for antropo and see what to offend means.
  Now try to imagine an offended Plc.
  And hand in your geek card.
32. Re:Plaintext passwords? by LordSnooty · 2008-08-27 20:38 · Score: 2, Informative
  
  My bank's phone service makes me type in my passcode via the keypad. If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures! Passwords should never be exposed in any way (in full at least), that has to be the bottom line.
33. Re:Plaintext passwords? by HungryHobo · 2008-08-27 21:38 · Score: 2, Interesting
  
  even then it should never be in plaintext.
  hash it, the operator asks for the pass, types it in, it's checked against the hash and if it matches it's correct.
  People reuse passwords too much for this to be safe .
34. Re:Plaintext passwords? by Sobrique · 2008-08-27 22:06 · Score: 3, Informative
  
  http://xkcd.com/327/ - One of my favourites
35. Re:Plaintext passwords? by telchine · 2008-08-27 22:10 · Score: 5, Insightful
  
  If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures!
  
  My bank als asks me for two letters from my password, and my bank is Lloyds!
  How do you know for sure that your bank's operator can't see the full password when they're asking you for two letters?
36. Re:Plaintext passwords? by Warshadow · 2008-08-27 23:36 · Score: 4, Funny
  
  No, No, No. "My voice is my passport verify me" :D
37. Re:Plaintext passwords? by jcuervo · 2008-08-27 23:42 · Score: 2, Funny
  
  4c6c6f79642773206973207374696c6c2070616e7473.
  
  --
  Assume I was drunk when I posted this.
38. Re:Plaintext passwords? by Cow+Jones · 2008-08-27 23:59 · Score: 5, Funny
  
  RTFA, its a phone banking password
  So, unless I misread TFA, we now know that Mr. Steve Jetley from Shrewsbury has a phone banking account with Lloyds, and is unable to change his password to anything else than "no it's not". Mr Jetley said he was still trying to find a suitable password which met the conditions.
  Excuse me, I have to make a phone call...
  
  --
  
  Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
39. Re:Plaintext passwords? by Anonymous Coward · 2008-08-28 00:02 · Score: 2, Funny
  
  Not really, since 1234 is explicitly banned when creating a PIN number in the first place - so any thief attempting to use 1234 as a PIN number would have to be a complete moron.
  You mean, on an ATM machine ??
40. Re:Plaintext passwords? by TheRaven64 · 2008-08-28 00:28 · Score: 3, Interesting
  
  It's easy. Imagine your password is 'password.' To get a password for Slashdot, you concatenate it with the site name, giving 'slashdotpassword'. You then hash it with a well-known hashing algorithm, such as MD5, giving '4f9e0b445242debaefaea692318e7f05'.
  As long as you have access to something that can generate MD5 hashes (any system with OpenSSL or GNUTLS installed, including any *NIX machine, any Mac, and some Windows machines) you can trivially regenerate your password. If you wanted to use the same password for mybank you would use hash of 'mybankpassword' which is '4281a3b1440b23b1106655dfeb849057'. Given either of these, it's very hard to recover the original input. It's a bit easier if you know that the format is {site name}{password}, but you could easily do something different, like interleave the letters, giving the hash of 'pmaysbsawnokrd'.
  
  --
  I am TheRaven on Soylent News
41. Re:Plaintext passwords? by geminidomino · 2008-08-28 00:47 · Score: 2, Funny
  
  "I am the systems administrator. You shall have no gods before me"
  Fixed that for you.
  Who, me? BOFHish?
42. Re:Plaintext passwords? by Bender0x7D1 · 2008-08-28 02:11 · Score: 5, Funny
  
  Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?
  I live in the U.S. and am offended by the implications in your statement. Of course they have the right! How else would they find the terrorists?
  
  --
  Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
43. Re:Plaintext passwords? by Anonymous Coward · 2008-08-28 02:43 · Score: 4, Funny
  
  What are you supposed to do, SHA-1 hash it in your head before reciting the hex digits over the phone to the operator?
44. Re:Plaintext passwords? by corbettw · 2008-08-28 03:39 · Score: 2, Insightful
  
  How about, have the operator type in the password as it's spoken? You'd have to have spellcheck in place each time it's entered, and maybe remove punctuation to ensure consistency, but there's no reason to display the password to a human operator.
  
  --
  God invented whiskey so the Irish would not rule the world.
45. Re:Plaintext passwords? by orgelspieler · 2008-08-28 05:33 · Score: 4, Funny
  
  I think you just failed the Turing Test.
46. Re:Plaintext passwords? by vanyel · 2008-08-28 08:06 · Score: 2, Interesting
  
  Imagine your password is 'password.'
  I don't have to imagine - after a recent spate of account hijackings to send spam, I ran a check and found 127 users with passwords of "password". This is a case where I reset their passwords without talking to them first as well as imposing some requirements on the passwords. It annoyed the call center, but it's better than getting blacklisted for spamming.
Legal Problems by Detritus · 2008-08-27 16:17 · Score: 2, Insightful

Does UK law cover "sexual harassment"? Employers in the USA have to worry about defending themselves against claims of sexual harassment, which can be quite broadly construed, even when a customer is the source of the alleged harassment. Anything that someone, somewhere, finds offensive, can be evidence of a "hostile work environment".

--
Mea navis aericumbens anguillis abundat
1. Re:Legal Problems by Ixitar · 2008-08-27 17:03 · Score: 5, Interesting
  
  I just love the hypersensitivity out there. I was on a project years ago where there were duplicate records on companies. One fellow that I worked with wrote a drag and drop application to eliminate duplicates. The user would drag the "good" record over an icon for the good company record and drag the "bad" record over the icon for the bad company record. The good company icon was a building in white with a halo over it and the bad company icon was a building in red with horns. I told him that someone with no sense of humor is going to tell him to change the icons. Sure enough, he was told to change the icons so as to not potentially offend someone's religious faith.
Re:How did they even know his password to begin wi by Architect_sasyr · 2008-08-27 16:18 · Score: 3, Informative

Heh. Truly a RTFA moment.

From TFA:

A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"
They can't store that clear text if they want to verify it.

--
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Re:My Password by halcyon1234 · 2008-08-27 16:21 · Score: 4, Funny

My password is the middle step in any profit plan. Now I can't remember what it is. I hope my cookies never expire.

--
UTF-8: There and Back Again
Clarifying for Americans by RevWaldo · 2008-08-27 16:25 · Score: 5, Informative

In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)

This doesn't speak well for the state of British underwear, but whatever.

--
Prisencolinensinainciusol. Ol Rait!
1. Re:Clarifying for Americans by kae_verens · 2008-08-27 17:45 · Score: 2, Informative
  
  rubbish.
  when abbreviating, a=b*c/4 is "a is b by c over 4", which is perfectly legible.
  repeating "by" for two separate meanings would be stupid.
  also, "often shorten words to the right" ? can you provide another example? "multiply by" is not a word.
2. Re:Clarifying for Americans by Antique+Geekmeister · 2008-08-27 18:36 · Score: 2, Funny
  
  Don't get your knickers in a twist.
3. Re:Clarifying for Americans by ben0207 · 2008-08-27 18:58 · Score: 5, Funny
  
  Does anyone else find it quaint when yanks try to comment on the English language?
  They always manage something that is nearly completely wrong, but right enough to see where they were going before they were distracted by something to eat or a TV.
  
  --
  cmd-q.co.uk - some sort of stupid fucking internet bullshit
4. Re:Clarifying for Americans by QuantumG · 2008-08-27 20:35 · Score: 4, Funny
  
  Wow, so basically your world view is that there are people from the UK and there are people from the US and no-one else exists?
  I guess that's almost better than the average American's grasp of geography.
  
  --
  How we know is more important than what we know.
5. Re:Clarifying for Americans by R2.0 · 2008-08-28 00:20 · Score: 2, Funny
  
  "You're not talking about shagging are you?"
  No, he's talking about fucking - please try to keep up.
  
  --
  "As God is my witness, I thought turkeys could fly." A. Carlson
6. Re:Clarifying for Americans by fotbr · 2008-08-28 00:32 · Score: 5, Insightful
  
  American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.
  Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.
7. Re:Clarifying for Americans by Anonymous Coward · 2008-08-28 00:38 · Score: 2, Funny
  
  In the UK "pants" is the term used for underwear.
  It is also slang for rubbish (that's "crap" for Americans.)
  This doesn't speak well for the state of British underwear, but whatever.
  I thought it was just their teeth that were brown, yellow and disgusting!
8. Re:Clarifying for Americans by Raenex · 2008-08-28 01:56 · Score: 2, Insightful
  
  Who are you kidding? You just fucked up somebody else's language. It's turtles all the way down.
Ok, and... by narcberry · 2008-08-27 16:30 · Score: 5, Funny

I read the article and it only reports half the story.
Sure he tells us all about his password and what he is using. But what was his account name?

--
Modding me -1 troll doesn't make me wrong.
Re:How did they even know his password to begin wi by threephaseboy · 2008-08-27 16:31 · Score: 2, Insightful

You do if it's a telephone banking password

--
.
I once had a funny incident with some website. by CrazyJim1 · 2008-08-27 16:33 · Score: 5, Funny

I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."

I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"

--
God spoke to me.
1. Re:I once had a funny incident with some website. by dmneoblade · 2008-08-27 17:50 · Score: 3, Funny
  
  Alternately, DO make passwords that will embarass people if used over the phone. Great way to slip in a little casual trolling. For added bonus, use a passphrase that is the entire lyrics to a song. For traditions sake, Fresh Prince of Bel Air and Never Gonna Give You Up are excellent choices.
  
  --
  Warning, knife is sharp. Please keep out of children.
2. Re:I once had a funny incident with some website. by Firehed · 2008-08-27 18:36 · Score: 2, Funny
  
  You want to get rickrolled when you have to call in and have your password changed? I'd much rather be told how nice I look today or that the kind phone attendant would like to do something with me that's considered impolite on a public forum.
  Most unfortunately, I haven't found a good way to set conditionals in password reset utilities that will prompt a vastly different response from a female assistant than a male. As such, avoid calling from a speakerphone, or you could end up having a very, very interesting day.
  
  --
  How are sites slashdotted when nobody reads TFAs?
3. Re:I once had a funny incident with some website. by Jugalator · 2008-08-27 21:01 · Score: 2, Funny
  
  Or set it to "wannafuck" and hope the one on the other end sounds like a hot member of the opposite sex.
  A bit risky plan though.
  
  --
  Beware: In C++, your friends can see your privates!
Re:How did they even know his password to begin wi by Psychotria · 2008-08-27 16:39 · Score: 3, Insightful

Which is the same in Australia. If I ring telephone banking they ask me for my password, which they can plainly see (I know, because I forgot it once and they told me I was on character out as a gentle "reminder"). It does seem absurd that my slashdot password is probably more secure than my banking "password". Note that the telephone banking password is different to my online banking password, which appears to be stored encyrypted--as it should be (note that I connot verify this as I do not work for a bank, but my anecdotal evidence confirms it).
I'm more disturbed by the fact... by Aardpig · 2008-08-27 16:41 · Score: 2, Interesting

...that neither the submitter nor the editor (samzenpus) are able to spell the word 'Lloyds', despite it appearing a number of times in the original article.
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.

--
Tubal-Cain smokes the white owl.
1. Re:I'm more disturbed by the fact... by zobier · 2008-08-27 17:19 · Score: 4, Funny
  
  Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
  Let us start tagging idleispants.
  
  --
  Me lost me cookie at the disco.
plaintext passwords by Fusen · 2008-08-27 16:44 · Score: 3, Informative

for people questioning why the bank has your password in plaintext, this is because in the UK they have ALL your info in plain text.

Your complete credit card details including 3 digit security code on the back.

Your complete address, maiden name, old addresses etc etc.

They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.

You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
1. Re:plaintext passwords by jrumney · 2008-08-27 17:08 · Score: 4, Insightful
  
  You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
  Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.
2. Re:plaintext passwords by andy.ruddock · 2008-08-27 18:19 · Score: 2, Funny
  
  It's called "an off-site backup".
  
  --
  God: An invisible friend for grown-ups.
3. Re:plaintext passwords by Arimus · 2008-08-27 18:50 · Score: 4, Interesting
  
  What hacks me off the most is that where I work (defence contractor) we have to have baseline encryption on our entire laptop drives and a second encrypted area for the more sensitive stuff. USB drives have to be encrypted as well, and PDA type (so ipod's phones etc) devices can't connect unless you are in the priviledged few who need to share data with external agencies or with our test systems.
  (My personal laptop (the one I'm typing this on) I've got my own encrypted linux filesystem on, only the windows bit isn't encrypted and bar photoediting its not used much)
  Why if we have to jump through various hoops or lose our supplier status can't the UK government departments and contractors working directly on their behalf do the same? (And ditto for banks.)
  Everyone involved with handling personal data needs to look into data minimization and data protection (integrity, access control, non-repudation, auditing, the whole shooting match), and any company found not doing so should be banned from handling personal data ever again. Government departments are harder to control (after all the MPs won't vote in a law which would neuter the IRS ;) ) - so make the law such that the minister and the civil servant in charge of the affected department face a 1 month jail sentance for every 100 records lost, loss of pension rights, barred from being company directors etc...
  
  --
  --- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
I know of someone who can help by Rupert · 2008-08-27 16:50 · Score: 4, Interesting

Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.

--

--
E_NOSIG
Important message to Lloyds customers by Anonymous Coward · 2008-08-27 17:01 · Score: 5, Funny

My Dearly Beloved Lloyds customers.
I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.
Thank you sincerely for your cooperation.
Mrs Mariam Abacha, Lagos, Nigeria
abscissa here by Anonymous Coward · 2008-08-27 17:04 · Score: 3, Funny

Who changed my password?
Six letters? Bollox. by zobier · 2008-08-27 17:13 · Score: 2, Interesting

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."
I would have then asked for it to be changed to bollox and then proceeded with increasingly vulgar suggestions. Fanny would be a good choice.

--
Me lost me cookie at the disco.
Re:Lloyd's by jrumney · 2008-08-27 17:21 · Score: 2, Funny

Perhaps it really was Llyods, as in www.lloyds.ru, after all, they did have his password stored as plaintext.
New password by AndyFewt · 2008-08-27 17:22 · Score: 2, Insightful

New pass: "Gagged" It meets the no more than 6 letters condition.
fun with passwords by Eil · 2008-08-27 17:29 · Score: 5, Funny

Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).
One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.
You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone
"Ummm, uh, it's fuckyou2dickhead."
I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.
He gave a huge sigh of relief.
SL did that to me by tsa · 2008-08-27 17:39 · Score: 3, Informative

Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.

--
-- Cheers!
Re:My Password by Fantastic+Lad · 2008-08-27 17:59 · Score: 4, Funny

"I hope my cookies never expire."
That should be on a Tee-Shirt.
-FL
Re:least of their problems by andy.ruddock · 2008-08-27 18:13 · Score: 2, Informative

Telephone banking. Customer rings and gets asked "What's the 3rd letter of you password?". Usually get asked for two randomly selected characters in your password, plus other details, such as random digits from a customer code which is chosen by the bank when telephone banking is setup for the customer.

--
God: An invisible friend for grown-ups.
No changes for me, thanks. by evilviper · 2008-08-27 18:15 · Score: 4, Insightful

Personally I found the original change funny, like the customer did.
The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.
I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Re:What the hell? by SEMW · 2008-08-27 18:24 · Score: 3, Insightful

This isn't a "help desk" it's a telephone banking system. You call up the bank. and do your banking over the phone. That means -- yes! -- that the guy you're talking to has unfettered access to your account. That's the inevitable price you pay for convenience if you want to do your banking over the phone.

--
What's purple and commutes? An Abelian grape.
Re:How did they even know his password to begin wi by Firehed · 2008-08-27 18:26 · Score: 2, Interesting

Your banking auth code isn't necessarily stored as plaintext in the DB. Amazon has my credit card number stored, and I'll be damned if it's in there as 3723-7... I mean, yeah. Anyways, it's in there via a 2-way encryption algorithm - functionally identical to how SSL works, even if the methods involved are completely different.
Now of course I have no way of knowing if they store the phone-in verification codes in some sort of encrypted form, but just because someone at the bank can read it doesn't mean it's STORED as plaintext, it just means it's NOT stored after being put through a one-way hash (md5, sha1, etc). But that's just as true in your bank's DB as on Slashdot's as on that cobbled-together inventory logging system I made a couple years back for a small biz project. If you didn't have a hand in building the system, and said system isn't open-source, you just have to hope and assume that they've done things with a reasonable degree of security. (FWIW I did encrypt the passwords in that thing, even if the rest of the system was clumsy as hell)

--
How are sites slashdotted when nobody reads TFAs?
Re:What are they doing being able to read password by itsybitsy · 2008-08-27 18:34 · Score: 2, Insightful

I don't get the person who moderated the parent posting, how on earth was that Trolling? Whom ever moderated is off their rockers.
When I tell people about passwords I always tell them that they need to use a NEW password with each service in case the people at that web site/company look at the password and then use it in identity theft. This makes your privacy more secure. Just don't leave the password information out in the open...
Passwords are awful for security by mcrbids · 2008-08-27 18:49 · Score: 5, Interesting

Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.
All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.
And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.
Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.
On the other hand, dual-key cryptography is rather good for security.
It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.
Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)
You enter in the passphrase for your private key. You enter the response back into your website, whatever.
Weaknesses? Not many.
1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.
2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.
3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.
Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Next time.. by Stormie · 2008-08-27 18:55 · Score: 2, Funny

..try "Lloyds ist toten hosen"
They probably won't change that one.
Plain text password necessary? by awol · 2008-08-27 18:59 · Score: 3, Interesting

My bank asks me the jth and kth letters of my password and never (and corresponds regularly to tell me so) asks for my complete password. Whilst this suggests they they do have the plain text stored on their system, could one devise a system that encrypted each letter of the password in some way that did not compromise the security of the stored hashes any more than the original hash?
Assuming a "strong" 8 letter password and two letters for verification it means that there is a 1 in 676 chance of a client guessing correctly in a single operator/client session. Not an unreasonable risk given the securiity that could be built into the session to avoid brute strength attacks.
I am having a bit of a think about it and I can think of a couple of techniques, but I am not sure that they are worthwhile. For example;
Just store the all the encrypted pairs (NC2) where N is password length, assuming 8 characters, only 28 combinations. Can these be stored without compromising the crackability of the whole password? I guess it would but by how much is a bit beyond my thumbnail calculating ability. Or;
Can we build a sufficiently strong transposition cypher so that we can compare specific letter positions encrypted without knowledge of the other letters?
My other bank uses SMS messages with one time codes to do verification. That seems to be very effective.

--
"The first thing to do when you find yourself in a hole is stop digging."
Umm - it starts earlier than that.. by cheros · 2008-08-27 19:55 · Score: 3, Insightful

The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?"
"You are all complete morons"
"That is correct, Sir, thank you" :-)

--
Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
wrong tree by Tom · 2008-08-27 20:23 · Score: 2, Insightful

"funny or not" isn't the right question to ask here.
The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.

--
Assorted stuff I do sometimes: Lemuria.org
1. Re:wrong tree by fotbr · 2008-08-28 00:35 · Score: 2, Informative
  
  RTFA. VOICE password. The person answering the phone for the bank needs to be able to see it to verify the caller is indeed the account holder.
Re:Lloyds, not "'Llyods" by 1u3hr · 2008-08-27 20:27 · Score: 4, Informative

And while I'm at it:
The headline; "Changing Customers Password Without Consent" needs a possessive apostrophe ("Customer's") and in the text:
"a sense of humour rears it's ugly head" should NOT have an apostrophe.
Slashdot "editors"? Where can I get a job like that you can do blind drunk while playing video games?
It's still retarded security by Moraelin · 2008-08-27 21:20 · Score: 4, Interesting

So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
And you don't see the problem yet?
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Of course, now when you talk to an operator, you tell them your password. So now we're back to problem 1, albeit with less people having access to it.
So, better yet, how about making you type it on the phone pad? Then their PBX can extract any such keypresses and send them directly to the computer. There is no need for the human operator to ever hear or read that sequence.
So basically, you can jolly well stop pretending that crap security is anything else. Yes, it may require some 5 minutes of thinking to solve those problems, but they _are_ solvable.
This kind of thinking inside the box (basically, "it's been done so before, so I guess we'll have to do the same"), and throwing your hands up in defeat each time it requires more thought than applying verbatim what you already know, is the real problem with security nowadays. Most people don't even bother trying to think about what could go wrong, and how (if at all) it's preventable.

--
A polar bear is a cartesian bear after a coordinate transform.
1. Re:It's still retarded security by Anonymous Coward · 2008-08-27 21:53 · Score: 5, Funny
  
  And who's to stop them from calling after hours and pretending to be you?
  Perhaps the fact the call center would be closed after hours?
2. Re:It's still retarded security by Clovis42 · 2008-08-27 23:37 · Score: 4, Interesting
  
  So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
  I worked for a Staples Call Center for awhile. One night I took an order from some guy. At the end I asked for his credit card number, name on the card, and the billing address. He hesitated on the last question, and stated, "But if I give you all that information, there's nothing to stop you from making an order using my credit card." I had no idea how to respond to this. Yes, you are giving me all the info I need to make a purchase via credit card, because that is what you are doing. So, I really don't see this password thing as a problem. If money disappears from a customer's account, those employees will the the first suspects. They are all probably smart enough to realise this and won't be stealing the information. I, and hundreds of other employees, could have walked out of the Call Center with hundreds of people's credit card info every day.
  
  --
  Clovis
  ^ Clovis, look! It's that guy you are!
3. Re:It's still retarded security by AP31R0N · 2008-08-28 00:17 · Score: 2, Interesting
  
  i've canceled membership in forums and other sites because they sent my PW in plain text. Followed by a nastygram sent to their "Contact Us" or "Help" link. It's inexcusable for PW to ever be in plain text, particularly on the side of the people hosting the service.
  
  --
  Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
4. Re:It's still retarded security by mhall119 · 2008-08-28 02:13 · Score: 4, Funny
  
  Better yet, read your public key to the teller, who then generates some random data, encrypts it with your public key and the bank's private key, then reads out both the cipher text and their public key over the phone to you. You then decrypt the data, and re-encrypt it with their public key plus your private key, and read the cipher text back to them, over the phone.
  Of course, you'd want to call them first thing in the morning, so you can finish the transaction before close of business.
  For efficiency, you can both keep a copy of each other's public keys after the first transaction, but you'll then need to read the contents of your respective revocation lists to each other, to make sure they're still valid.
  
  --
  http://www.mhall119.com
5. Re:It's still retarded security by knarfling · 2008-08-28 03:25 · Score: 2, Insightful
  
  How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
  Let's just see how well that will work, shall we?
  Operator: Can I get your password, please?
  Custormer: Sure. Lloyds is pants.
  O: Is that Sure, Llyods is pants, or just Lloyds is pants?
  C: Just Lloyds is pants.
  O: I am sorry, that is not working. Did you capitalize all of Lloyds, or just the first letter?
  C: *I* didn't capitalize anything. My password is Lloyds is pants, just like I said.
  O: I am sorry, sir, that password is not working.
  C: Did you guys change my password on me again? I swear, every time I talk to you, my password gets changed on me or someone screws up my password. The last time I called I spent a half hour on the phone before I realized that your stupid rep typed in p-a-n-c-e instead of p-a-n-t-s for my password.
  O:P-a-n-t-s? There we go. Your password is working now. I am sorry for the inconvenience. Welcome to Lloyds. How can we handle your money for you today?
  
  --
  Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Not everyone lives in the UK or Ireland by FreeUser · 2008-08-27 23:31 · Score: 2, Informative

Or he lives somewhere other than the United Kingdom or Republic of Ireland, and has never travelled to either of those places.
Plc is somewhat analogous to GmbH or LLC elsewhere.

--
The Future of Human Evolution: Autonomy
Acceptable by QuietLagoon · 2008-08-27 23:52 · Score: 2, Insightful
What isn't acceptable is the refusal to change it per the customer's requests after that."
.
Two additional things are not acceptable:
1. the customer service rep having access to the plain text password (corollary: passwords being stored in plain text)
2. the customer service rep changing a customer's password without the permission of the customer
once upon a time you were right by BitterAndDrunk · 2008-08-28 01:58 · Score: 2, Interesting

But no longer:

Interest rates are no longer the lifeblood of banks. These days fees and other non-interest income account for more than 40 percent of a bank's revenue and contribute about the same percentage to the bottom line.

Source

--
You better watch out, there may be dogs about . . .
That's still a rather fragile assumption by Moraelin · 2008-08-28 02:01 · Score: 3, Insightful

That seems to me like a very fragile assumption.
Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.
You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.
It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.
Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.

--
A polar bear is a cartesian bear after a coordinate transform.
1. Re:That's still a rather fragile assumption by spun · 2008-08-28 02:16 · Score: 4, Interesting
  
  Fragile assumptions are the building blocks of society.
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
2. Re:That's still a rather fragile assumption by Frank+T.+Lofaro+Jr. · 2008-08-28 09:55 · Score: 2, Insightful
  
  Last year, there was only one case where one of those transactions was from a stolen credit card number.
  That you know of.
  There could be literally hundreds of undetected and/or unreported cases.
  
  --
  Just because it CAN be done, doesn't mean it should!
Pants by Slashdot+Parent · 2008-08-28 03:04 · Score: 2, Insightful

You explained everything but the most important part. Why are pants offensive? I do not find pants to be offensive at all.

--
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
what isn't acceptable is by josepha48 · 2008-08-28 04:15 · Score: 2

that someone else knew what his password was. That means that they track and can read your password. I don't think that would make me feel comfortable. I would hope that passwords were stored encrypted and not decryptable by staff.

--
Only 'flamers' flame!
Does slashdot hate my posts?