

How safe is your password with Verizon? - demosquared
http://pranaya.co/how-safe-is-your-password-with-verizon/

======
gketuma
Calm down people, it is just an authorization phrase that Verizon uses to make
sure you have permission to make changes. You can share that phrase with
anyone that you want to make changes to your account. Verizon probably should
not call it 'Password'. It is NOT the password that you use to login to their
site to pay your bill or anything else. The author is confused on the whole
process. The customer service rep as well should have done a better job to
explain to him the process as well.

~~~
nickles
While Verizon does use a separate authorization phrase, I've found that Condé
Nast appears to store plain text passwords. I discovered this when a CSR read
my password to me over the telephone to confirm it. I reported this issue to
Condé Nast but never heard back, so I can only assume this is still the case.

~~~
jeffclark
True. If you ever want a really good laugh, check out the software and
interfaces a magazine fulfillment company uses.

Fulfillment companies are the companies that magazine publishers hire to
handle customer service, charge and ship magazines to you at the right time.

Problem is, when it was time to put these magazines online, magazine companies
looked to fulfillment companies to handle billing and customer service for
them. These fulfillment companies had worked in 30/60 day cycles and were
running software that was created in 1985.

So when the Internet came knocking, they just rigged up some stuff to kinda
sorta do it the same way.

Before someone writes the obligatory "someone should create some software to
make digital fulfillment for old-school publishing better", you should
understand that these fulfillment companies __own __the customer/user data.

To migrate from one fulfillment company to another, you'd have to re-collect
billing information for the entire subscription file, which would require the
publisher to contact Grandma Barbara and ask hero to send in another check or
get on AOL to add her credit card. Which just isn't going to happen.

------
kdot
You don't understand the proccess... The billing system password is a simple
phrase to make certain changes to you Verizon account. It is designed to be
shared with people authorized to make changes to the account, (ie. your kids,
wife) if you speak with a call center employee they will ask you for the same
password.

Calm Down.

~~~
cynwoody
The fact that he had successfully logged in should have been good enough for
that purpose.

At most, a paranoid system might be designed to require a second login before
a sensitive change, on the theory that a screen might have gone unattended.
The outcome of that second logon (success or failure) is all that should be
shown to a service rep. The system should immediately destroy the password
after hashing it for comparison to the value stored in the database. This
technique is decades old.

However, I know of vendors who do store raw passwords. This is because I have
been asked to change passwords of long standing that do not stand up to silly
new rules about variety of character classes, etc. If they were one-way
hashing, they could not have known my old password didn't pass muster.

~~~
ch
Yes but just being logged in isn't evidence enough.

Someone might have lifted his account password and logged into the website
with it impersonating him on the chat, and so it only makes sense to then
confirm identity by challenging for that password over the same chat where he
is being impersonated... hey wait a second!

~~~
kdot
He wasn't logged in, if he was logged into the account he could have done what
he wanted no problems, the reps don't have your web password. Your chat/call
in password is different, it's analogous to asking for your SSN to do an
account change.

------
jdludlow
_Pranaya: and FYI – I use the same password for my bank accounts, etc.._

Someone who is serious about security would never do this. The rest of the
article falls on its face at this point.

~~~
SwellJoe
So many people do this. It's the real problem, from my perspective, but I
don't know how to solve it...even people I have the opportunity to talk to
about it, at length, and explain the risks (like girlfriends), often _still_
keep the same practice. Sometimes, they'll compromise and introduce a "secure
password" for important stuff like bank accounts and GMail, and an "easy
password" for stuff like forums and unimportant stuff.

An end to passwords would be awesome. But, I haven't seen a compelling
solution to the problem.

~~~
angrydev
The solution is to use a password manager. Keepass and Lastpass are pretty
popular solutions and you'll be thankful later when one site is inevitably
compromised and you don't feel like you have to change all your passwords.

It is absolutely worth the time to setup and start using.

~~~
web007
Those are great, and I've used 1Password and LastPass to generate / store
passwords for a couple years now, but they're not a proper solution.

If I have my super-secure password that I generated in my browser, Chrome will
sync it and let me log in on my browser too. Great! Now how do I get that into
my phone when the APP requests me to log in?

Answer: Some password system needs to tie into the IME of computers and phones
in order to be effective and secure wherever your passwords need to go.

OpenID / OAuth seems like the general answer, but it's not easy to use, and
it's not practical unless I can get my bank, Facebook, some mom-and-pop
website and HN to all use the same system. IME integration would bypass all of
these, and would be so much simpler than getting everyone to learn the OAuth
dance.

~~~
rogerbinns
> Now how do I get that into my phone when the APP requests me to log in?

As someone who recently factory reset their tablet and phone, boy was that
painful. The password generator passwords are long and use a wide variety of
characters, numbers and punctuation. Entering them is really tedious and time
consuming. Usually you can't see the entered password so a single error means
you have to keep trying again.

~~~
fluidcruft
Hm. Maybe something like a qr-code keyboard that would allow you to scan and
enter a code from your monitor into a text field?

------
rm999
They're referring to the 'billing system password'. I may be mistaken on this,
but I think this predates a time when most people had online accounts, which
can create confusion now that there are two things called a password. I
remember struggling to figure mine out in the late 90s when I was changing
some account settings at a store. I got the impression this password really
isn't meant to be very secure (it's usually just the last digits of your SSN),
and is used to make account changes.

[http://vzwtipsandtricks.blogspot.com/2010/11/i-forgot-my-
vzw...](http://vzwtipsandtricks.blogspot.com/2010/11/i-forgot-my-vzw-account-
password-aka.html)

[http://support.verizonwireless.com/faqs/My%20Verizon/billing...](http://support.verizonwireless.com/faqs/My%20Verizon/billing_statements.html)

~~~
cynwoody
She should have figured out right away that he was confusing his log-in
password with the billing password and explained the difference.

Reading the chat log, I failed to pick up the problem, and I am a Verizon
customer. A few times talking to a Verizon rep, I've been asked for the last
four of my SSN. I have to remember to give 0000. That's because, when I first
signed up, I didn't want them storing my SSN post credit-check, and they
complied.

However, I don't ever recall being asked for a "billing password". Maybe
that's because mine is still the numeric 0000. Perhaps Pranaya set up an alpha
one at some point and forgot, then got confused by the word "password".

------
zooteo
They were definitely just asking for your security phrase, not the password
for your online billing account.

As an AT&T customer, I know having one of these "passwords" is optional. If
you choose to have one as an added level of security (in addition to the last
4 of the account holders social), you can add it to the account. Again, it can
be completely different from your online login passowrd and is usually
something simple that can be said/understood over the phone.

I found this whole article kind of funny. The rep must have been so confused
as to why this customer was getting so hysterical over such a common thing.

------
drivers99
It isn't your password they wanted (which is what you use to login to the
site), she was asking for your "PIN" which is a code they ask for whenever you
want to make changes to your account through a store representative, on the
phone, or in this case, the online chat window. When you're in the store, you
don't type it in to anything, you tell it to the person who is looking at it
on their computer screen. The problem was she was confusing you by asking for
your password.

------
rivenfeld
I had an almost identical conversation w/a Sprint agent a couple of days ago,
where she clearly wanted my site login password (she'd already gotten the
account verification code).

After pressing the issue and refusing to provide it, she walked me through the
steps needed to resolve my issue. My feeling was, esp after reading this, that
they are probably using the same or a similar 3rd party to provide their live
support and those 3rd parties are now finding that it's easier to log in as
users and fix their issues vs trying to walk users through the various steps
to fix it themselves. It probably brings their support times down - I
seriously doubt they care about user security.

Or heck, maybe it's a malicious attempt to get passwords... heck if I know,
just a theory. Seems like the easiest explanation. Still, unacceptable.

------
nwh
Still better than with Virgin Mobile, who enforce 6 digit numerical-only
passwords, and whose login screen has no flood control. There's absolutely no
way to have a secure account.

------
commiebob
Your password is not safe with anyone. Use a unique, strong password for
everything.

~~~
Anechoic
_Your password is not safe with anyone. Use a unique, strong password for
everything._

While I agree, that is more easily said than done for most folks. Looking
through my Keychain file, I have almost 850 internet password items. Assuming
that about a third are duplicates (www.site.com vs site.com for example)
that's still well over 500 different sites I have passwords for. Because I'm
comfortable with Keychain, I let it generate strong passwords for me (I
frequently associate custom email addresses with those passwords as well since
I own aunch of domains). Whenever I try to get others to use various password
managers, they get confused and eventually fallback to writing passwords down
or using the same password across sites.

Someone needs to get us away from passwords fast.

------
codenerdz
[http://support.verizonwireless.com/faqs/My%20Verizon/billing...](http://support.verizonwireless.com/faqs/My%20Verizon/billing_statements.html#item16)

