xeny wrote:Service providers don't store your password, they store an encrypted version of it.
Don't bank on it!
A few years ago I had need to ring VirginMedia, my ISP at the time, though definitely no more! Would not recommend them to anyone except my worst enemy.
I can't remember
exactly how the exchange went, but while going through the security part, the call centre operator said something, I forget exactly what, that immediately rung alarm bells with me ... so much so, that I asked them directly right at the moment "can you see my password on your screen?"... to which the operator replied "yes"
.
I was rather taken aback by that. I'd setup my password online, and had assumed, like you, that it would be hashed (standard practice with electronic passwords), and only the hash would be used to confirm if I've entered my password correctly. I though it was for my email, etc, and I'd presumed it was an 'online' password .. I hadn't realised it would also be used for phone security checks.
And anyway, I had assumed that whatever I tell the operator, they would key it in, and the computer would just say "yes" or "no", rather than let the operator see my password... so I was rather taken aback that the operator said they could see my password on their screen before I'd given it to them.
The operator just asked for a subset of individual characters from my password, so that in itself confirmed to me that they weren't using a cryptographic hash, and indeed my clear text password must at least be in the system somewhere.
I still find it hard to believe that the operator genuinely had visibility of my clear text password on their screen (usually asking for a subset is so that the operator doesn't get to know your full password), but that is what they told me, and like I say, the initial exchange I had with the operator gave me enough cause for concern to directly put the question to them.
[I can't remember the details, but it was possibly something like me not expecting they were using my online password for their phone security check, so I didn't believe I had a phone security password, and possibly the operator confirmed to me that the password they were looking for looked like random characters, or something along those lines.. because I had indeed used a set of random characters for my online password.. or it was something along those lines, but whatever it was exactly, it definitely led me think ... "erm hang on.. you can see my password!?!?!?!?" ... with enough concern to ask them directly as much]