Our "pub" where you can post about things completely Off Topic or about non-silent PC issues.
Moderators: NeilBlanchard, Ralf Hutter, sthayashi, Lawrence Lee
-
Bluefront
- *Lifetime Patron*
- Posts: 5316
- Joined: Sat Jan 18, 2003 2:19 pm
- Location: St Louis (county) Missouri USA
Post
by Bluefront » Wed Jun 13, 2007 2:56 am
With some places anyway. You'd think by now that everyone would be schooled in password protection....not so. Example. My new ISP was connecting ok, but the EMail refused to work. I finally called their tech support from another location(not my home phone). I told the guy my problem and my user name.....he asked me if my password was "XXXXX". I said yes and he fixed the problem which was at his end.
What he should have done was ask me for the password I registered. This didn't dawn on me till after the incident. Anybody could call these people with a similar story, and get another person's password.....all you'd need was the EMail address, and this same "tech" person to answer the phone. I guess you're never safe enough these days......
![Mad :x](./images/smilies/icon_mad.gif)
-
kogi
- Posts: 155
- Joined: Tue Apr 08, 2003 2:02 pm
- Location: sydney.au
Post
by kogi » Wed Jun 13, 2007 3:07 am
Thats a really bad system. I thought with all/most system. An administrator can't find out your password. Only reset it.
kogi
-
mellon
- Posts: 105
- Joined: Thu Apr 21, 2005 12:17 am
- Location: Helsinki, Finland
Post
by mellon » Wed Jun 13, 2007 5:01 am
Seconded. That kind of a setup means that anyone on the inside can access your email without you knowing. Probably the username/password -combination is also stored in plaintext somewhere on the server so when it gets compromised it is trivial for the attacker to get lots of good username/password information.
If at all possible, change to a better ISP. If they can't do basic password protection properly they'll screw up something else too.
-
quikkie
- Posts: 235
- Joined: Tue Sep 20, 2005 5:21 am
- Location: Soham, UK
Post
by quikkie » Wed Jun 13, 2007 5:11 am
Having worked for a small scale ISP before (in 2000), if I wanted to read your email I'd just start a text editor on the mail server and start reading.
I've not yet come across an email server (either POP3 or SMTP) that encrypted it's message store. Although I am looking at a mail server currently (Zimbra) that uses a database backend as the message store, and I believe I'm right in thinking that the database is access controlled.
And I second the idea of shopping around for another ISP, that "system" in use is incredibly insecure and wide open to abuse.