ISP Emails Customer Database To Thousands 259
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
Meanwhile ... at Demon Internet Corporate Offices (Score:5, Funny)
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer
Demon Internet CEO:
Demon Internet Yeswoman:
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.
Re:Meanwhile ... at Demon Internet Corporate Offic (Score:5, Funny)
Re:Meanwhile ... at Demon Internet Corporate Offic (Score:4, Funny)
I wonder... (Score:2, Informative)
Re:Meanwhile ... at Demon Internet Corporate Offic (Score:4, Funny)
Demon Internet CEO: What does splunge mean?
Demon Internet Yesman 2: It means it's a great idea, but possibly not, and I'm not being indecisive!
Demon Internet CEO: GOOD!
Re: (Score:2, Funny)
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs
Re:Meanwhile ... at Demon Internet Corporate Offic (Score:5, Funny)
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P
The stories are funnier when they are fictitious, Sally.
Re:Meanwhile ... at Demon Internet Corporate Offic (Score:5, Funny)
"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.
Re: (Score:2, Funny)
Great, I just got an diabetes and an erection from reading your post.
Sounds like you need an insulin erection.
Free market will fix this (Score:4, Insightful)
Re:Free market will fix this (Score:5, Insightful)
Storing user passwords unencrypted in an excel spreadsheet should be a crime.
Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.
Re:Free market will fix this (Score:5, Insightful)
Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.
Re: (Score:2)
I thought it was bad when places emailed you your own password, but this is prettty 'special'...
Re: (Score:2)
That's one of the first things I thought of when reading the summary.
What kind of jackass stores passwords in plain text on a DB? At the least: store the hash+salt, compare the input's hashe+salt. You should NEVER store the password in a retrievable manner.
Then again, I suppose it's the same kind of jackass that doesn't do a QA run to make sure something pesky, like say, the ENTIRE client list, gets attached to your invoices.....
Someone please ID this idiots+management and post it out for the world to see
Re: (Score:2)
Re: (Score:3, Funny)
Standard practice is that nobody knows the password - you just store the hash.
Not even the user knows their own password... now that's security!
Re:Free market will fix this (Score:5, Insightful)
It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.
Re: (Score:2, Insightful)
If even the computer knows the password somebody has made a hash of the job
Of course you mean that if even the computer knows the password, somebody failed to make a hash of it. Good call though!
Not any more... (Score:2)
Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.
It is now a bit naive to think that things work like this in the industry. Years ago, this was indeed the forward thinking, "engineered" best practice, and though not directly, why systems like Kerberos were originally created.
Sadly however, with the advent of the web, SSL, LDAP, and hundreds of other possible databases to need access, most PHB types quickly bought into "identity management" schemes being pawned by multiple vendors. These schemes end up "managing" your kept password(s) into "secret stores
Re: (Score:2)
That depends on who you ask. A LOT of IT organisations keep passwords around, since users just can't take their passwords seriously enough. With company data (or any other data really) encrypted using passwords/keys, it's not simply a matter of resetting the password and continuing as if nothing had happened.
Re: (Score:2)
That's all well and good until the ISP everyone flocks to has a data breech.
Re:Free market will fix this (Score:5, Interesting)
Their biggest competitor is BT [bt.co.uk] ... Not quite seeing a stampede happening in that direction.
There's always Orange, I guess...
(...and to think that I bitch about Comcast...)
Re: (Score:2)
Re: (Score:2)
A voluntary decision to stick with a reliable ISP. Seriously, most ISP's in England are terrible. I know people using various ones, and the only I NEVER hear complaints about is Demon.
So, do you want privacy or reliability? You only get to pick one apparently.
Re:Free market will fix this (Score:4, Interesting)
Re: (Score:2)
I stayed with them for a few months after their takeover by Thus, until a new ISP installed ADSL+ in our exchange. In that time, the bandwidth I was getting deteriorated enormously, and their customer service changed from an engineer who understood "I can see your pings hitting my firewall" to a call centre worker in India who could only say "reinstall windows". And after I left, they forgot to remove me from their billing system, so they kept sending me letters threatening court action and bailiffs.
That mu
Re: (Score:2)
Re:Free market will fix this (Score:4, Informative)
Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).
Anyways, http://forums.thinkbroadband.com/ [thinkbroadband.com] is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.
On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......
Anyways, yes, if someone finds a decent ISP let us know please.
Re:Free market will fix this (Score:4, Interesting)
Anyways, yes, if someone finds a decent ISP let us know please.
I've been with Zen's ADSL service for a couple of years now, since moving house. Give or take rare small glitches (and even then, they've had fewer of those than anyone else I've used) their service has always been fast and reliable. They don't have 24/7 tech support available, which did worry me to start with, but since I've never needed to call tech support once the service was set up that no longer bothers me. It does cost significantly more than the cheap providers as well, but I guess you get what you pay for. YMMV, caveat emptor, etc., but I'd sign up with them again.
Re: (Score:2)
I shall be happy when they repeal the legislation requiring a man with a red flag to walk in front of every data packet!
Sadly The market is the Problem (Score:2)
The problem in the UK, unlike Switzerland, I operate in both, is that the UK only has copper local (last mile) loop. Here we have fiber and copper 'im haus' which means that ISPs can form Internet+TV+Phone at reasonable price. Off peak I see 100mB down + 10 gB up with DTV and phone. Reliability is excellent.
I use Cablecom (CH) and Tis
Re: (Score:3, Informative)
Re: (Score:2)
Actually, they're no longer known as that. Their new name is:
BE *eyes explode at fluorescent cyan*
So what? (Score:5, Funny)
Re: (Score:2)
More importantly, hasn't this company ever heard of password hashing?
Re: (Score:2)
I know this is a joke, but it should really be modded insightful instead. This just reveals the already-existing incredible insecurity of their setup. If they were doing it right, the file would only have hashes, or preferably, hashes and salts. It would certainly still not be good to have it leaked, but the results of that happening would be significantly less serious. Instead, we have this.
Re: (Score:2)
One more reason... (Score:3, Insightful)
... that privacy 'policies' don't mean squat...
Who is to blame? (Score:5, Funny)
10 Bucks says it comes down to a cat on the keyboard.
Re: (Score:2)
10 Bucks says it comes down to a cat on the keyboard.
50 bucks says that cat was pictured in the act in a lolcat image.
Re: (Score:2)
50 bucks says that cat was pictured in the act in a lolcat image.
I can has passwurdz?
Re: (Score:3, Insightful)
Re: (Score:2)
Like this? [youtube.com]
They shouldn't even have the passwords (Score:5, Informative)
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
Re: (Score:2)
Ummm. Where I work spreadsheets are called "databases". I get stupider things in my email every morning at work than the email described here.
And incidently, since POP and SMTP were switched off to force us to use outlook the number of misdirected emails has gone through the roof. Humans search by first name but Outhouse searches by last name. I have a common last name... And so does a certain senior manager.
Re: (Score:2, Informative)
Ummm. Where I work spreadsheets are called "databases".
But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.
(and spreadsheets aren't databases, you can't write SQL queries against them)
Re:They shouldn't even have the passwords (Score:4, Interesting)
(and spreadsheets aren't databases, you can't write SQL queries against them)
I know. Where I work they would probably employ an intern to copy and paste passwords between the database and the spreadsheet because the database in complicated while everybody understands excel. SQL has been pretty much replaced by the scripting and macro languages supported by excel anyway.
Re: (Score:2)
(and spreadsheets aren't databases, you can't write SQL queries against them)
You realize there's been ODBC and JDBC drivers for Excel spreadsheets for many years now, right?
Re: (Score:2)
Understanding SQL isn't a requirement to be considered a database.
In fact, spreadsheets are databases. Wikipedia refers to these as end-user [wikipedia.org] databases.
You are confusing the term database with an RDBMS or Relational Database Management System (and even that doesn't necessarily depend on the use of SQL).
Re: (Score:2)
The word you're looking for is (relational) database management system or RDBMS. You know, software that let's you manage and run queries against databases. Which could be Excel tables, if you're into that kind of stuff.
Re: (Score:2)
Excel is an SQL-queryable database. [cpan.org]
And when I hit "Reply to This", I was merely surmising it was possible to do, not that someone was dumb/bored enough to do it. Nearly 7 years ago, even.
Passwords are needed - CHAP (Score:5, Informative)
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.
However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.
That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!
Re: (Score:2)
They want a junior staff member with clearance to look up and IP and get that name. Why burn out your only real admin when its just reading a warrant, looking up time, ip and filling in the needed info.
Young admins in the UK only know MS.
if they had skills, they would be working in the real world.
computer billing story (Score:5, Interesting)
I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
This story goes back several years, as you will see.
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
18 months later I got a (manually generated) bill for $13,000.
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.
Re: (Score:2)
Re: (Score:2)
Tge moral of the story is:
When sonmeone implements a crappy system , it can effect that company and customers for years afterwords.
Really, there is no reason not to modernize this shit.
Re: (Score:2)
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed
And this is partly why I refused eBilling (Score:4, Interesting)
Re: (Score:2, Interesting)
Someone had better lose their job. (Score:5, Insightful)
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.
Re: (Score:2, Interesting)
Re: (Score:2)
I've worked in an office where you get fired for doing stupid things. In particular, I've worked at an ISP where I'd be the one firing you for doing this particular stupid thing.
Then you haven't worked anywhere in Europe. Save for a few things (eg. gross misconduct), you can't sack somebody with zero notice and zero warnings.
You could argue that this comes under the heading of gross negligence, which may be something you can be summarily sacked for, but then the question arises - who was grossly negligent? The person who sent out such a spreadsheet or the person who specified a system which allowed such a spreadsheet to exist?
Things get even more complicated if after such a syste
Really! (Score:4, Interesting)
This reminds me of when I was hired to do some maintenance on a small fantasy racing team website. The website seemed pretty well implemented and the database seemed reasonable. I then took a look at the account info table and was horrified to find that everything was stored in plain text, passwords, real names, user names, CC numbers, addresses, etc. I'm not exactly a database/web guru, but come on! How hard is it to use md5() to store passwords?? And I don't like the idea of some random guy (me in this case) being entrusted with everyone's credit info. There has to be a better way.
I learned my lesson though. I will never pass my credit info to a small-time website. To think that a fairly large ISP would be this stupid in the year 2009 is mind boggling.
Re: (Score:3, Insightful)
Credit Card info? That's a violation of PCI DSS right there along the lines of the great Web Hosting Talk fuck-up of last year. You can be fined millions for that.
Re: (Score:2)
PCI DSS isn't a law, it's a set of standards that the card industry wants you to follow if you're going to handle credit cards. There are no fines, you just lose your right to do CC business if you can't pass the audit. And the audits aren't perfect.
You gave me a business idea (Score:3, Funny)
You see, when a company fucks up, they call us at The Goat and we send them a person. Said person "works" there and takes all the blame and gets fired. The company looks good and we make money.
Legal fuck ups cost $100,000 for the goat plus our markup of 100% for a total of $200,000. The $100,000 for the goat allows him to live for a while until the public forgets about him. Goats for white collar illegal activities will run on a sliding scale. But let's say you have another Enron t
Why? (Score:2)
Someone had better lose their job.
Why? And who, exactly?
Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
It's probably less a case of knowing better, and more a case of clicking on the wrong file (something like "attach User-list.xls, mailmerge against User-list.xls" instead of "attach User-instructions.doc, mailmerge against User-list.xls"). Knowing that all of us organic beings are subject to error, is a single incident like this something to fire someone over? Or are you saying to fire whichever programmer or spec writer or system architect didn't think to build a mass-mail function in
Re: (Score:2)
It's not a simple password.
Looking forward (Score:5, Interesting)
I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)
Re: (Score:2)
That is going to be _awesome_ once the local antivirus program deletes it off a system with stale exception lists :D
Re: (Score:2)
no biggie (Score:2)
That's too bad (Score:2)
My very first email address was on a ...demon.co.uk host, back in the early 1990s.
Another reason... (Score:3, Informative)
I can fix it if you let me at the code (Score:2)
[window pop up] "Are you sure you want to send this?"
[countdown timer on OK button] 5...4...3...2...1...
[user clicks OK prematurely]
[window pop up] "NO! Penalty timeout!"
[countdown timer on OK button] 39...38...37...36...
My experience of the same thing... (Score:5, Interesting)
Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:
Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers
-----Original Message-----
From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
Sent: Thursday, 23 September 2008 10:53
To: [-------] Outbound Contact Team
Subject: FW: eBill template
Hi Team,
Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.
>
Dear customer-name-here,
[etc..]
Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.
By default, forwarding in pretty much all mail applications keeps the attachment.
I'm sure this is the principal way documents are leaked from just about any organisation.
Re:My experience of the same thing... (Score:5, Funny)
I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.
Many moons ago, I was told a tale about sending out mass mailings, not this "slip of the mouse" email stuff.
The bank's marketing and finance guys have come up with this glossy brochure of stuff for their top customers, based on something like highest 5% balance holders. There's a letter drafted to accompany the brochure, it just remains to do the little personalising touches for the final run.
Someone forgets to replace the output placeholder with the salutation generation program that'll even spew out "Dear Sir Whimsey-Porpoise".
The final letters are printed, enveloped, and mailed. The salutation from the placeholder piece of code? "Dear Rich Bastard,".
Re: (Score:2)
That's old. And it's probably an urban legend, as it's usually a charity emailing or sending letters to their biggest donors.
Re:My experience of the same thing... (Score:4, Insightful)
Snopes [snopes.com] says it is true.
I also like the idea of Wells Fargo sending this to customers:
You owe your soul to the company store. Why not owe your home to Wells Fargo? An equity advantage loan can help you spend what would have been your children's inheritance.
Re: (Score:3, Funny)
I actually prefer this bit:
An interesting element not generally related as part of this story just goes to prove you can never please everyone: The little UK firm responsible for the gaffe received a complaint from a potential customer who felt himself qualified to be a rich bastard yet had not received the letter he deemed appropriate to his station in life.
Re: (Score:2)
Many moons ago I used to work in the credit industry. On the evening shift things would get kind of slow, so we'd find ways to keep ourselves occupied. One such activity was doing lookups on names you know couldn't exist - and it was damn funny when they actually did. I could just see typing in the name "Bastard" and seeing a response, "Bastard, Richard M. .... "
Cleartext Passwords? Really? (Score:3, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Yes, really. It's called CHAP authentication, and it requires plain text passwords. see my other post [slashdot.org]
Re: (Score:2)
Demon: OK, let's see if we can help. I just need to take you through security. Can you give me your username
Customer: customer1
Demon: And, without revealing your full password, characters 3 and 5 of... the MD5 hash of your password?
Customer: WTF?
Demon: sorry, that's not right.
In the case where you want to use the same password to authenticate across multiple channels, and use human interaction, storing plain passwords (with appropriate control) is u
Why is this even available? (Score:2, Interesting)
I realize most people don't use negabases or other things that would prevent marketing twats from getting their filthy grubby hands on information--but why was there a password field even available to anybody to start with?
Four years ago I inherited an application with plaintext passwords. Yes, it took me *two years* to fix it because of other even worse problems--but it was fixed in the end (SHA1, salted per user in the front and tail).
Our support team bitched and moaned that they could no longer troubles
Anyone else with horror stories with Demon? (Score:4, Informative)
Re: (Score:2)
any DNS changes to a domain has to be done via fax on a letter with the company's header.
While I can understand that this is a royal pain in the Ass, it's also a fairly good procedure. Faxes have the sending phone number on them usually, which is a decent validation component. The letterhead is another decent step, assuming they compare it to something on file. I don't think you want people changing your routing just based on a phone call without more identification somehow. These are exactly the steps
Notice the words carefully... (Score:4, Insightful)
...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist.
Wow!
Talk about double standards.
Why can't the corporate be sued on SAME grounds like hackers?
Re:Notice the words carefully... (Score:4, Informative)
intent.
A hacker didn't accidentally get into a system,
Re: (Score:2, Funny)
"...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist."
Solution: Instead of being an individual hacker, form a security corporation.
Re: (Score:3, Interesting)
There's absolutely no reason to store passwords in the first place. In fact, in a well designed system it would be impossible for the ISP to know the passwords. They'd be hashed and salted first. This is so obvious and simple to do that failing to do so should be considered criminally negligent.
Re:To err is human... (Score:4, Informative)
A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.
Re:To err is human... (Score:4, Funny)
You're hired!
Re: (Score:2)
Email there new password to them AND their daughter.
Also give it to her over the phone.
Here's a thought, Mail it to them.
"the password isn't protecting anything of value anyway."
you seem to suffer from a lack of imagination.
Re: (Score:2)
A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on.... the password isn't protecting anything of value anyway.
Fine. So relax the password rules and let her use her daughter's middle name as her password. That's better than storing passwords in plaintext. There's no reason to do that.
Re:To err is human... (Score:5, Informative)
Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post [slashdot.org]
Re: (Score:3, Informative)
Which is why a CHAP password is not a unified billing password.
Re: (Score:2)
Plain text is no problem for them. MS is secure and they patch and update.
If your from the UK and smart your working in the USA, the City or military/science.
Whats left for an ISP is MS slop.
Hashed and salted is bad if MS has a new feature that will take time to use. Plain text can save the day