Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My ISP can't handle passwords correctly


  • Please log in to reply
1 reply to this topic

#1 TheNightowl

TheNightowl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 02 February 2015 - 10:02 PM

I was playing around a month or 2 ago with my login password for the web based email of my ISP.

My password was 10 characters long so just for fun I typed in 9 of them. I got in. Then I tried 8, I got in. All the way down to 5 before I didn't get in. Mind you, temp files and cookies were deleted before each attempt.

 

I called them (Local Co.) with another issue then asked about this odd password behavior. The guy thought I was kidding. The next day he emailed and said he tried it with his own password and got in like I did. He suggested to add some special characters to stop this behavior (should not have too). I changed to a cap letter at the 7th digit of my password, and added an additional 4 numbers. I can still get in as long as I type just past that cap letter leaving the others off. In other words, my password is 14 characters long with a capitalized letter at spot 7 followed by 7 other digits both numbers and letters and all I have to do is type up to and including the capitalized letter to gain access to my email.

 

Anyone ever tried this with their ISP? I asked for it to be looked into and repaired, but have never heard a word back.

 

I may try adding a special character at the end to see if that does the trick, but why should I have to do this? I may even publicize this being they are a local company. I bet the get on it then.



BC AdBot (Login to Remove)

 


#2 Taikoh

Taikoh

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In front of a laptop
  • Local time:12:12 AM

Posted 18 February 2015 - 10:48 PM

If they implement some sort of partial password authentication (however bad of an idea that may be), then that would definitely do it. Without knowing their back-end design or their privacy policy (if it's even contained therein), all you can do is guess that the issue, unfortunately. It could also be some weird, poorly-programmed hashing algorithm or login page. If it's poor programming, then they've got more things to worry about than partial password authentication.  :o

 

I wouldn't publicize it though, no good can come of that. If it's an actual vulnerability with their systems, then you'd want to wait until they have time to fix it (within a reasonable amount of time) before even considering going public with that information. Your best bet would probably be to call them every other day or so in order to check in on it, highlighting your concerns for your account's security.  :unsure:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users