SPCR

With some places anyway. You'd think by now that everyone would be schooled in password protection....not so. Example. My new ISP was connecting ok, but the EMail refused to work. I finally called their tech support from another location(not my home phone). I told the guy my problem and my user name.....he asked me if my password was "XXXXX". I said yes and he fixed the problem which was at his end.

What he should have done was ask me for the password I registered. This didn't dawn on me till after the incident. Anybody could call these people with a similar story, and get another person's password.....all you'd need was the EMail address, and this same "tech" person to answer the phone. I guess you're never safe enough these days......

Thats a really bad system. I thought with all/most system. An administrator can't find out your password. Only reset it.

kogi

Seconded. That kind of a setup means that anyone on the inside can access your email without you knowing. Probably the username/password -combination is also stored in plaintext somewhere on the server so when it gets compromised it is trivial for the attacker to get lots of good username/password information.

If at all possible, change to a better ISP. If they can't do basic password protection properly they'll screw up something else too.

Having worked for a small scale ISP before (in 2000), if I wanted to read your email I'd just start a text editor on the mail server and start reading.

I've not yet come across an email server (either POP3 or SMTP) that encrypted it's message store. Although I am looking at a mail server currently (Zimbra) that uses a database backend as the message store, and I believe I'm right in thinking that the database is access controlled.

And I second the idea of shopping around for another ISP, that "system" in use is incredibly insecure and wide open to abuse.