Do you trust 1&1?

Posted by

Wow. 1&1 just asked me for a customer password over the phone. It started out as my fault. I tried to ssh in to a package without SSH privileges. This added my IP to a blocked list. Fair enough. I called support to be removed from the block list and was surprised when they asked me for the account password as verification.

From this, I assume that 1&1 either stores the password in plain text, which they denied when I asked, or they type it in as I relay it over the phone. Either way, at the end of the day, some random phone support person hears the password over the phone, or worse. Unbelievable!

I very politely refused to do this and suggested that this was a bad policy, which the helpful person on the phone understood. I was then informed that the block would be lifted automatically in four hours anyway. This was fine by me, so we left it at that.

Now, I’m not suggesting that a random phone call from a stranger to 1&1 should result in a blocked IP being lifted. However, I do feel strongly that this policy as verification is deeply flawed, and hints at the potential of an even greater problem: That 1&1 may store customer passwords in plaintext, or at least be aware of them. It’s 2012. There is no reason that a company the size of 1&1 should store customer passwords in a readable format. This was what caused the huge security flap over the Sony PSN compromise in 2011.

GoSaBe Blog - Jan 20, 2012 | Security, Web Development