0

I called my domain registrar (unnamed here but not difficult to find out and a major provider) about a year ago to have them change some DNS settings. While on the phone, the customer service rep had me speak my password (letter by letter) to prove my identity. It just dawned on me: is my domain registrar therefore storing my password in cleartext? If not, how was the customer service rep able to know that my password was what I said it was?

e-sushi
  • 1,296
  • 2
  • 14
  • 41
michaelrbock
  • 105
  • 8
  • Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. – Lucas Kauffman Jul 26 '13 at 20:49

2 Answers2

6

Well fairly obviously what happened was not ideal security pracitce, as the agent you spoke to now knows (if they did not before) your username/password.

In terms of storage it would be speculation to say they held it in clear text. That is one possibility given what you've said.

However if they asked for your whole password then it could be that the agent typed it into a form which then hashed it, compared it with the hashed stored on file and gave a correct/incorrect decision back to the agent. The letter-by-letter piece could just be to ensure no typos/spelling errors on the password check.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
5

Unfortunately, we can only speculate. Given the very limited information we have about the customer service representative's abilities with regards to your password, there are several possibilities.

Data storage method aside, the customer service representative needed one of two things to be able to verify your password:

  1. The ability to actually see the password that is stored on their servers.
  2. An application or form by which they would enter the password you provide, and receive a positive or negative response from the server after it performs the comparison.

The first option requires one of the following, neither of which is good security practice:

  • Passwords are stored in cleartext.
  • Passwords are stored using reversible encryption.

With option #2, you can perform proper salting and hashing of passwords while still allowing the customer service representative the ability to verify it. However, option #2 does not eliminate the possibility that cleartext or reversible encryption storage options are being used.

In any case the biggest problem with this whole scheme is that, regardless of how they verified your password, the customer service representative now knows your password. That should never happen for any reason.

Solution: Change the password at your domain registrar to one that you do not and will not ever use anywhere else. Change your password on any other sites, systems, services, or applications where you used the same or a similar password as with your domain registrar. Finally, find a new domain registrar.

Iszi
  • 26,997
  • 18
  • 98
  • 163