Passwords should be private

I had this issue a while ago with Oceanic and I thought it was resolved, but then something happen the other day that showed that was clearly not the case. Back when I was first playing around with sending mail through Gmail using Road Runner's servers I was calling support and talking to them a lot. At one point they asked me to confirm my password which confused me. I asked them to repeat themselves and they were asking me to tell them my password. It wasn't so that they could try it themselves, but so that the random technician I was talking to could confirm that what I was typing was the same as what he was looking at on the screen. He was able to pull up my password on his account. At the time, this was a big deal for me as I was using 3 passwords and sharing them for various things. This password he had sitting in front of him was used for various other sites and even some things on my computer. Now this is a poor security practice on my end which I have fixed, but its also a horrible policy on their end as well.

I called back later and asked to talk to a supervisor to find out why some random tech is able to pull up my password. It took them a while to get back to me but someone quite nice eventually got back and explained the situation. The tech was able to read off what my password was last time they reset. This would be a random password they generated, and I would have changed it to my personal password after. The tech, she said, would not be able to pull up my current, personal password. So all was well. Or so I thought...

Oceanic's billing site changed a while ago from using a pin to login (4 digit password) to a normal password (alphanumeric). I had forgot I changed my password and failed to login too many times which resulted in my account being locked. So I called them up and asked for them to unlock my account. The asked for some random information to confirm I was me and then asked for my pin. I gave them the wrong pin first, and then she says 'no, that's not we have on file, we have ####'. She just gave me my own pin... but whatever, I had answered a few questions already so I was more than likely me. Then she says 'alright, I've unlocked your account and your password is ###..." I told her to stop. She was reading off what my old password was, she didn't reset, she just pulled it up and was reciting it to me. No at this point I'm using randomly generated passwords for all websites, so this is unique and can't be used for other sites. Still the point is you should not be able to see a users password.

To clarify what the ideal situation is, if a user gets locked out of their account, after you confirm that the users is who they say they are, you unlock their account and if need be reset the password to something randomly generated. This is standard policy on every network that I have ever had to deal with and it amazes me that for starters, any seems to be able to pull up my password in their system and that they don't have this type of reset policy in place. I really wonder what's going on over at Oceanic and am even more amazed that after sending them 3 resumes they never bothered to contact me for an interview.

No comments: