Hacker News new | past | comments | ask | show | jobs | submit login

http://jumba.com.au does this as well; when on the phone to you, they ask you for your password, and the customer support person checks it on their screen.

(What could possibly go wrong?)




Depressingly, this seems to be a bit of an Australian thing, as iiNet (and the various ISPs they've bought) are guilty of this too.


Are you sure of this? The CSR could also be comparing the hashed/bcrypted/whatever version of the password you give them over the phone to the hashed/bcrypted/whatever version stored in the database.


To activate SSH on your account, you are required to dump your password into the free-text area on a support ticket (see http://support.jumba.com.au/kb/questions/45/Do+you+offer+SSH... ).

Given they do this sort of thing, even if they did do fancy hash comparisons when I called them, they still have people's passwords hanging around in plain text elsewhere on the system.


Wow, ok. Yah that sounds about as bad as it gets. Stay away!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: