Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersTAB CSR's able to read passwords rather than reset.
Distorter

242 posts

Master Geek
+1 received by user: 40


#154688 4-Nov-2014 15:33
Send private message

Not sure if I am posting this in the right area, but found this quite bizarre.

I wanted to place a bet on the Melbourne Cup but couldn't remember my details to log into my account on the TAB website. So I rang their help line, once connected the CSR confirmed my details and then ......TOLD me what my password was.

Not that happy that they have a system in place that allows them to view passwords. Anyone from Catalyst on these forums? I believe they look after the TAB website.

Is this normal practice? Where I work most things are single sign on through ADFS and of course you can't read passwords from Active Directory.

Create new topic
amanzi
Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified
Trusted
Lifetime subscriber

  #1168585 4-Nov-2014 15:35
Send private message

No, that's never a good idea... What security checks did they do before reading you the password? How did you identify yourself?



Distorter

242 posts

Master Geek
+1 received by user: 40


  #1168596 4-Nov-2014 15:39
Send private message

My date of birth and the pin on my account. If I didn't know the pin, which I did, then they probably would've asked for email I assume.

nathan
5695 posts

Uber Geek
+1 received by user: 1630
Inactive user


  #1168609 4-Nov-2014 16:14
Send private message

Sounds like they're Storing passwords using reversible encryption


That's not a sensible security best practice using plaintext versions of the passwords, they should be hashed



gcorgnet
1096 posts

Uber Geek
+1 received by user: 273

ID Verified

  #1168611 4-Nov-2014 16:21
Send private message

nathan: Sounds like they're Storing passwords using reversible encryption


That's not a sensible security best practice using plaintext versions of the passwords, they should be hashed


Aha! you seem to assume they are even using encryption.

If some CSR on the phone was able to dig out the password so easily, I would say the thing wasn't even encrypted. Really bad practices!
Always amazes me to realise something we just take for granted is actually missing from a lot of systems, even in big companies...

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright