Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 
BDFL - Memuneh
62969 posts

Uber Geek
+1 received by user: 13550

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1306244 16-May-2015 12:00
4 people support this post
Send private message

There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.




Awesome
4841 posts

Uber Geek
+1 received by user: 1097

Trusted
Subscriber

  Reply # 1306248 16-May-2015 12:38
2 people support this post
Send private message

freitasm: There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.


This x1000. People often reuse passwords all over the place, and this is a huge fraud opportunity for a less than honest CSR.

And the fact that the password is visible to the CSR in the first place indicates it's likely not encrypted. If your database get's hacked and someone makes off with all the email addresses and passwords....




Twitter: ajobbins


 
 
 
 


4340 posts

Uber Geek
+1 received by user: 992


  Reply # 1306250 16-May-2015 12:42
Send private message

Demeter:
freitasm: Two words: social engineering.



Hmm... I hear what you're saying, but if the person has such a vested interest and knows enough personal details to pass security checks so they can get an email password, for example, I'm sure they can get the info regardless of whether they are speaking to someone on the phone or using an automated system to retrieve it. Not allowing CSRs to see passwords has so many downsides (support wise) that I don't even know where to begin.

I can't see a user's password in my role. But we have a policy of resetting it and e-mailing it to the registered address, which works quite well. If the address needs updating, they send us an e-mail to let us know what the new one is and we update it (after confirming it's all above board).

2625 posts

Uber Geek
+1 received by user: 1137

Trusted
Lifetime subscriber

  Reply # 1306252 16-May-2015 12:47
Send private message

ajobbins:
freitasm: There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.


This x1000. People often reuse passwords all over the place, and this is a huge fraud opportunity for a less than honest CSR.

And the fact that the password is visible to the CSR in the first place indicates it's likely not encrypted. If your database get's hacked and someone makes off with all the email addresses and passwords....


This ×400000 times. Not encrypting your password database is asking for trouble from a less honest CSR or Network admin. It's not like there isn't plenty of examples why non encrypted passwords is bad. As someone who's day job is protecting exactly these sorts of credentials I find it yet another reason to never be a Vodafone customer.

I don't really look forward to Vodafone NZ joining the likes of Adobe and LinkedIn but only worse since they aren't even hashed.

Lesigh.





Glurp
9707 posts

Uber Geek
+1 received by user: 4636

Subscriber

  Reply # 1306284 16-May-2015 13:26
Send private message

I would not be happy receiving an important password by email, even if it is secure. Forum logins okay, they can be quickly changed, but not anything involving money.





I reject your reality and substitute my own. - Adam Savage
 


663 posts

Ultimate Geek
+1 received by user: 92

Trusted

  Reply # 1306642 17-May-2015 14:36
Send private message

Receiving a password that has been reset and can rapidly be changed again is different from being emailed your current password. One is ok, (but far from perfect), other is certainly poor practice.




1 | 2 | 3 | 4 
View this topic in a long page with up to 500 replies per page Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.