It's been a while since I've worked on any kind of system where passwords were stored as clear text. I guess I've just come to expect that they are to be stored as encrypted stings. So I was pretty surprised when I learned that a company I was doing business with, a major hosting/communications company, stores all of its customer and reseller passwords as plain text. Every tech support, customer service or sales rep can view any accounts password, without the knowledge or authorization of anyone. This password allows for root access to all servers associated with the account.
I asked some company reps about it, and the answers didn't make me feel any better. 'We need to see the passwords for verification purposes' and 'We pride ourselves on our integrity' and yes, even 'we haven't had a problem before'. I made most of the arguments you might expect, but it was clear I was getting nowhere. After all, they are a huge company and that's the way they do things, end of story.
I can't help but wonder how long it will be before a disgruntled employee leaves the company along with a few hundred account passwords. Sure they 'haven't had a problem before', but I figure that just means they are overdue. I think I felt better before I knew this.
p.s.
HOLY SH*T!! It's been four years since I wrote in this thing!!
