I’m sorry, but when you’re working internet tech support and someone tells you webmail is down, the first thing you ask is NOT “Can I have your username and password?”
I can’t believe I used to recommend these nitwits.
I’m sorry, but when you’re working internet tech support and someone tells you webmail is down, the first thing you ask is NOT “Can I have your username and password?”
I can’t believe I used to recommend these nitwits.
Comments are closed.
Why not? Seems like a legitimate question to me.
I used to work internet tech support. If your host asks you that question, you should dump them for another.
Why? Because a) they should never need it. They have administrator access to your account; if they need to get in, they can. b) it’s a terrible practice from a security perspective. It gets people in the habit of giving out their password over the phone, which opens them up to various “social engineering” security exploits. And even if you, personally, are careful about always verifying that the person you are talking to is a real employee, if they are that lax in one area you can bet they have other holes as well.
Occasionally having the password is useful in order to login as the user and thereby see whatever problem they are experiencing; but the benefits don’t outweight the risks.
I have worked for three different major internet service providers in both tech support and management positions, and have run a private help desk, which includes internet support, for the past 6 years. Credo number one of providing tech support: the caller is a moron. Sure maybe you aren’t, but I assure you that you are in the vast minority. Not all systems allow you access to the user’s account. I only worked for one company that did (Prodigy). The rest you could only see the last two characters of the user’s password and you had no account access. This was for the security of customer accounts, mostly so that angry techs couldn’t go in and mess with people’s email. This is a much higher risk than someone overhearing or tapping the phone, if that’s what you’re getting at. For many companies asking the user for the password is the only way to access specifics of their account.
I maintain that that is a broken and brain-dead way to run an ISP. What’s the point of having tech support if the techs can’t access user accounts? Might as well call your aunt Tilly for all the good it will do you.
And generally speaking, any company where the attitude is that the customer is a moron is a bad company. I’ve walked many a computer-illiterate through internet setup and troubleshooting, but I never thought of any of them as morons, and neither, AFAIK, did my co-workers. They were paying customers, with better things to do than become computer experts.
Of course, any company that doesn’t trust it’s techs isn’t in much of a better position. How are they supposed to help if they have no access?
I’m shocked, but on consideration not all that surprised. I just don’t understand why anyone would stick with a company that treats them as the enemy.
Ahahaha, whatever. Users are morons. Even the smart ones. When they aren’t lying to you about what they’ve done, they’re confusing the issue with extranious information. I.e. I tied my shoes and then I couldn’t get my email!!! I have no idea who you are referring to in the last sentence.
Wait, let me get this straight – are you telling me that not only could techs not access user accounts, and not see passwords (perfectly understandable, any decent system puts passwords through a one-way-hash before storing them) – but they couldn’t even reset passwords?
2 could, one couldn’t. But why would asking for a password be worse than flat out changing it? They could access user accounts to the extent that they could see name, billing address, duration, services, etc. but NOT log into their email.
But why would asking for a password be worse than flat out changing it?
Because asking for it gets users into the habit of giving out their password over the phone, which makes them more vulnerable to various social engineering tricks. I.E. Joe Blackhat gets a hold of a list of LameNet’s customers, and goes down the list, calling them up and saying “Hi, this is Joe with LameNet, we’re moving users over to a new machine from a failing server, and we need your password in order to transfer your account”. Or any number of variations. He’s going to have a much higher success rate if the customers are used to giving out their passwords, than if LameNet has made it clear that they will never ask for passwords.
Oh, so I see, it’s one of those greater good for all of humanity sort of things. How noble of you.
It has nothing to do with the greater good of humanity, just that of one company and it’s customers. If company X has lax security standards, than it’s customers will suffer from a higher incidence of security compromises, and the company’s bottom line will suffer as a consequence. Since social engineering is one of the most popular routes of attack for serious crackers, taking basic precautions against it is one of the most basic and cost-effective steps a company can take to cut down on security breaches.
There’s nothing “noble” about it, it’s just a pragmatic security procedure. It’s the same reason that online businesses like PayPal and Ebay make it clear that they will never ask you for your password.
PS: The above refers to password only. Asking for username is fine.
Please note my amazing restraint in the usage of the word “Duh.”
“Can I have your username and password please?”
Oh, well now if you say “please” that makes all the difference.
Can I have your credit card numbers and social security numbers, Please? 🙂
Hehheh… I have those!