This is a misunderstanding. The CS agent has access to a plaintext (security question) password that can be used under special circumstances. It must be readable to function.
My solution to security/recovery questions is to generate or make up ransom answers, and store the question/answer pair in the notes field of the entry in my password manager.
This kills the “knowing things about you” vector of phishing and impersonation and make it as secure as any unique and random password.
I don't see why the security question answer has to be stored in the clear. If you have to give it over the phone, the agent can type it into a form field that hashes it and compares, just like a password on the site.
Because security question answer have high variability for the average user. They're asked say, what street they grew up on. Is it "S. Main St." "South Main", "south main", "south main street", etc...
Security questions in general are terrible so don't take this as if it's in defense of them.
My favorite are the presumptive ones that assume something like "Where did you meet your spouse?"
Someone should just go over the top: "Who was the editor of your first successful novel?" "What investment did you make your first billion with?"
What city were you born in: “Millwaukee”. The agent would be able to tell it was Milwaukee, but if he or she typed “Milwaukee” it’d go “bzzzzt” just because the user typoed the input initially at set-up.
It's a security question to access information on the account over the phone. It's not used in the web based system, which is completely detached from the phone system.
Is Reddit considered a news source now? Half of the posts on the front page are made up fictional writing, and the other half are politics and repeated questions, for the purposes of karma farming.
How do we know that the OP of this post did not make these claims up?
I've got news for you - they aren't the only ones. Other big companies in the utilities and financial sector also do this, and even some banks.
Often it's a product of repeated acquisitions, where the lowest common denominator across disparate systems is some kind of text-based format.
That said, I'm surprised a customer service agent ostensibly had access to it.
From my own observations (some made during efforts to champion change), industry has gotten better over time. There shouldn't be cases anymore where salted hashes or other alternatives can't be achieved, and I'm pleased to see the public take security and privacy seriously.
I've never designed a system that needed to be secure, nor have I been tasked with breaking one, but...
Is plaintext really that much worse than hashed/salted/whatever storage? If the user generated a hard-to-guess password, then the user is also unlikely to reuse it. If the user generated or reused a memorable password, then it would be not too costly to guess most of them using a dictionary attack or whatever the state of the art is for guessing non-random passwords.
Is this just defense in depth, or deterrence, or is there something I'm missing that makes the plaintext storage really much more dangerous?
Assume the database gets dumped. Plaintext you immediately have a password.
If hashed/salted, this would need to be cracked and takes time/resources. It's not perfect/ideal but it buys time. A raw pw dump you're good to go to start testing them on other sites.
In short, its like having a kia/hyundai vs. any sane car manufacturer. All cars can be stolen, some just make it easy.
> Is plaintext really that much worse than hashed/salted/whatever storage?
Bruh...
Any random rouge employee (and judging from OP's post, it's accessible to not just DB admin/IT but also regular supports) can easily scrape any password they want.
Considering OP was told the password on a call, I'd guess a low tech social engineer could easily extract any password they want as well.
> Is this just defense in depth
You use "just" as if "defense in depth" is just some security theater term with no substance.
I say "just" because if I'm missing something fundamental about how passwords are properly stored, then defense in depth might not be the point.
I read up a bit more on salting passwords, and now I see that it makes guessing the passwords _way_ harder, because it adds a factor of O(n) to the guessing (n is the number of passwords leaked).
Readit News
This kills the “knowing things about you” vector of phishing and impersonation and make it as secure as any unique and random password.
"42_red_banana_&"
The "password" here is only used over the phone in place of an account number or similar where a customer can't recall other information.
The reddit user here would have had to provide this password over the phone before to another agent. It's the only way for it to get there.
CSR: What's your mother's maiden name? Oh wait, looks like an issue on our side.
Me: No issue. My mother's maiden name is Q5D6Erty#76cjWE1H. She's Dutch.
For the record, I don't have a great answer to this either -- genuinely curious.
Deleted Comment
Source: I posted that on reddit.
Security questions in general are terrible so don't take this as if it's in defense of them.
My favorite are the presumptive ones that assume something like "Where did you meet your spouse?"
Someone should just go over the top: "Who was the editor of your first successful novel?" "What investment did you make your first billion with?"
Deleted Comment
It is entirely government owned and the largest electricity provider in the province.
I believe you’re thinking of Ontario Hydro, though it looks like that’s been privatized and/or split up.
Happy to be corrected though if I'm misreading this!
https://plaintextoffenders.com/
https://old.reddit.com/r/alberta/comments/1c7lk3z/ahs_privac...
Don’t know if that went anywhere… anyone know?
How do we know that the OP of this post did not make these claims up?
Often it's a product of repeated acquisitions, where the lowest common denominator across disparate systems is some kind of text-based format.
That said, I'm surprised a customer service agent ostensibly had access to it.
From my own observations (some made during efforts to champion change), industry has gotten better over time. There shouldn't be cases anymore where salted hashes or other alternatives can't be achieved, and I'm pleased to see the public take security and privacy seriously.
Dead Comment
Is plaintext really that much worse than hashed/salted/whatever storage? If the user generated a hard-to-guess password, then the user is also unlikely to reuse it. If the user generated or reused a memorable password, then it would be not too costly to guess most of them using a dictionary attack or whatever the state of the art is for guessing non-random passwords.
Is this just defense in depth, or deterrence, or is there something I'm missing that makes the plaintext storage really much more dangerous?
If hashed/salted, this would need to be cracked and takes time/resources. It's not perfect/ideal but it buys time. A raw pw dump you're good to go to start testing them on other sites.
In short, its like having a kia/hyundai vs. any sane car manufacturer. All cars can be stolen, some just make it easy.
Bruh...
Any random rouge employee (and judging from OP's post, it's accessible to not just DB admin/IT but also regular supports) can easily scrape any password they want.
Considering OP was told the password on a call, I'd guess a low tech social engineer could easily extract any password they want as well.
> Is this just defense in depth
You use "just" as if "defense in depth" is just some security theater term with no substance.
I read up a bit more on salting passwords, and now I see that it makes guessing the passwords _way_ harder, because it adds a factor of O(n) to the guessing (n is the number of passwords leaked).