Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersTAB CSR's able to read passwords rather than reset.
Distorter

185 posts

Master Geek


#154688 4-Nov-2014 15:33
Send private message

Not sure if I am posting this in the right area, but found this quite bizarre.

I wanted to place a bet on the Melbourne Cup but couldn't remember my details to log into my account on the TAB website. So I rang their help line, once connected the CSR confirmed my details and then ......TOLD me what my password was.

Not that happy that they have a system in place that allows them to view passwords. Anyone from Catalyst on these forums? I believe they look after the TAB website.

Is this normal practice? Where I work most things are single sign on through ADFS and of course you can't read passwords from Active Directory.

Create new topic
amanzi
971 posts

Ultimate Geek

Trusted

  #1168585 4-Nov-2014 15:35
Send private message

No, that's never a good idea... What security checks did they do before reading you the password? How did you identify yourself?

Distorter

185 posts

Master Geek


  #1168596 4-Nov-2014 15:39
Send private message

My date of birth and the pin on my account. If I didn't know the pin, which I did, then they probably would've asked for email I assume.

 
 
 
 


nathan
5686 posts

Uber Geek

Trusted
Microsoft

  #1168609 4-Nov-2014 16:14
Send private message

Sounds like they're Storing passwords using reversible encryption


That's not a sensible security best practice using plaintext versions of the passwords, they should be hashed




populism, the most important and misunderstood movement of our time

gcorgnet
894 posts

Ultimate Geek

Subscriber

  #1168611 4-Nov-2014 16:21
Send private message

nathan: Sounds like they're Storing passwords using reversible encryption


That's not a sensible security best practice using plaintext versions of the passwords, they should be hashed


Aha! you seem to assume they are even using encryption.

If some CSR on the phone was able to dig out the password so easily, I would say the thing wasn't even encrypted. Really bad practices!
Always amazes me to realise something we just take for granted is actually missing from a lot of systems, even in big companies...

Create new topic





News »

Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41

Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55

NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30

Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05

Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18

Synology unveils DS16211+
Posted 17-Oct-2020 20:12

Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06

Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47

OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52

Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34

Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29

AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13

Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57

Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.