Calm down people, it is just an authorization phrase that Verizon uses to make sure you have permission to make changes. You can share that phrase with anyone that you want to make changes to your account. Verizon probably should not call it 'Password'. It is NOT the password that you use to login to their site to pay your bill or anything else. The author is confused on the whole process. The customer service rep as well should have done a better job to explain to him the process as well.
While Verizon does use a separate authorization phrase, I've found that Condé Nast appears to store plain text passwords. I discovered this when a CSR read my password to me over the telephone to confirm it. I reported this issue to Condé Nast but never heard back, so I can only assume this is still the case.
True. If you ever want a really good laugh, check out the software and interfaces a magazine fulfillment company uses.
Fulfillment companies are the companies that magazine publishers hire to handle customer service, charge and ship magazines to you at the right time.
Problem is, when it was time to put these magazines online, magazine companies looked to fulfillment companies to handle billing and customer service for them. These fulfillment companies had worked in 30/60 day cycles and were running software that was created in 1985.
So when the Internet came knocking, they just rigged up some stuff to kinda sorta do it the same way.
Before someone writes the obligatory "someone should create some software to make digital fulfillment for old-school publishing better", you should understand that these fulfillment companies own the customer/user data.
To migrate from one fulfillment company to another, you'd have to re-collect billing information for the entire subscription file, which would require the publisher to contact Grandma Barbara and ask hero to send in another check or get on AOL to add her credit card. Which just isn't going to happen.
I sincerely hope you are right. However, the only thing I understood was that she was asking for my password. I read Hacker News so I know better :) - however, Verizon deals with many others - how are they to figure that out - if that is indeed the case.
So the "billing password" is not the password one would use to pay your bill? How very odd. One wonders why she allegedly called it the billing password, then.
Indeed. The phrasing in the chat clearly (really quite clearly) seemed to indicate it was a login password. Even if this is just a throwaway auth token, the way that script is written pretty much guarantees that users will spit their login passwords into the chat. And of course they wouldn't work, and Verizon would then have to have a script to ask for the right info.
I don't buy it. This was asking for a login password.
What they should do is let you login to the website and give a one time use access token (and make it possible to work out the relevant account). Giving that to the rep (phone or email or chat) then makes things a lot quicker and more secure.
For example Netflix does this for support where you get the token from the web page (as a number) and enter it when you make the support call. Google business support has it too although it is valid for longer where the admins can get a token that is entered with support requests.
You don't understand the proccess... The billing system password is a simple phrase to make certain changes to you Verizon account. It is designed to be shared with people authorized to make changes to the account, (ie. your kids, wife) if you speak with a call center employee they will ask you for the same password.
The fact that he had successfully logged in should have been good enough for that purpose.
At most, a paranoid system might be designed to require a second login before a sensitive change, on the theory that a screen might have gone unattended. The outcome of that second logon (success or failure) is all that should be shown to a service rep. The system should immediately destroy the password after hashing it for comparison to the value stored in the database. This technique is decades old.
However, I know of vendors who do store raw passwords. This is because I have been asked to change passwords of long standing that do not stand up to silly new rules about variety of character classes, etc. If they were one-way hashing, they could not have known my old password didn't pass muster.
Yes but just being logged in isn't evidence enough.
Someone might have lifted his account password and logged into the website with it impersonating him on the chat, and so it only makes sense to then confirm identity by challenging for that password over the same chat where he is being impersonated... hey wait a second!
He wasn't logged in, if he was logged into the account he could have done what he wanted no problems, the reps don't have your web password. Your chat/call in password is different, it's analogous to asking for your SSN to do an account change.
I'm glad I'm not the only one that thought he was being a bit hysterical.
I'm not entirely convinced that this customer service agent could see his password. She said she had to enter it in to verify it. She may have been confused about his questions, or just flustered by his attitude.
Yes--the Verizon billing system password is a 5-digit number (not an actual online account password). It's not the same as the password for the portal and I'm not sure why someone would use that as their banking password. I'm assuming he's confusing "Billing System Password" with "Website account Password."
He is right that it's not secure at all, I forget the sequence of numbers I use every other time I've called them, and they've always let me have a few tries at it...
In his complaint that it's not secure, he's totally correct - but the account she had in plaintext in front of her is not the same as his online (and bank? Yegads...) account password.
However, the insecurity of the Billing Code is actually worse than his website account password, as anyone could call up, figure out the 5-digit code (they've given me hints before), and change his service, request billing info mailed, etc. And good luck getting any service changed with the (more secure? Who knows...) site account password (although you do have access to billing records, which could be more valuable).
So many people do this. It's the real problem, from my perspective, but I don't know how to solve it...even people I have the opportunity to talk to about it, at length, and explain the risks (like girlfriends), often still keep the same practice. Sometimes, they'll compromise and introduce a "secure password" for important stuff like bank accounts and GMail, and an "easy password" for stuff like forums and unimportant stuff.
An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.
The solution is to use a password manager. Keepass and Lastpass are pretty popular solutions and you'll be thankful later when one site is inevitably compromised and you don't feel like you have to change all your passwords.
It is absolutely worth the time to setup and start using.
That's my solution, but I've been unable to convince others to do the same. It's too complicated, they get confused, it doesn't work automagically enough. Whatever the reason, I have never successfully converted someone non-technical to using a password manager.
Those are great, and I've used 1Password and LastPass to generate / store passwords for a couple years now, but they're not a proper solution.
If I have my super-secure password that I generated in my browser, Chrome will sync it and let me log in on my browser too. Great! Now how do I get that into my phone when the APP requests me to log in?
Answer: Some password system needs to tie into the IME of computers and phones in order to be effective and secure wherever your passwords need to go.
OpenID / OAuth seems like the general answer, but it's not easy to use, and it's not practical unless I can get my bank, Facebook, some mom-and-pop website and HN to all use the same system. IME integration would bypass all of these, and would be so much simpler than getting everyone to learn the OAuth dance.
> Now how do I get that into my phone when the APP requests me to log in?
As someone who recently factory reset their tablet and phone, boy was that painful. The password generator passwords are long and use a wide variety of characters, numbers and punctuation. Entering them is really tedious and time consuming. Usually you can't see the entered password so a single error means you have to keep trying again.
I've been using a password manager to manage my super-secure password system for a few weeks. Since I started, my friends have been calling me paranoid.
What disturbs me about this, why I feel it's relevant, is that these are people with the technical ability to configure their own minecraft servers and run jailbreak/root(?) hacks on consoles. Almost all of them have at least taken 1 or 2 C++ college courses or Codecademy courses. These people aren't technically challenged, nor are they Luddites. They should be aware of how insecure most passwords are, but they feel it's not relevant to their life.
Any suggestions on how to deal with that problem -- people calling you paranoid because you don't use an easy to remember password on all sites?
When you open an entry in KeePassDroid it adds entries to the notification pull down menu to copy either the username or password. I find this works quite well. Browse to the key in keepassdroid, then go to the app you need to login to. Pull down the notification shade and select copy username to clipboard. Paste. Pull the notification shade and select copy password to clipboard. Paste. Done.
1Password has an iPhone app (and probably Android, too). You can sync all of your passwords over the network or dropbox. It's a bit more tedious than just using the 1Password browser plugins, but it works. Just copy the password from the app and paste it into the app/website/etc. 1Password will also open a browser window and enter your account details for you if you're using mobile web.
LastPass has a great mobile apps with "copy notifications" if you're fortunate to be on Android. It makes it much faster than it would be typing a password anyway.
So many people /do/ do this - but how many of them deign to lecture a CSR at a cell phone company on their lax security policies, then write up a long-winded blog about doing so, all the while being blind to, or wilfully ignorant of, their own security faux pas?
Oh, and now the CSR knows his banking password too. Handy.
So, he's lazy. Or maybe he was lying to Crystal in an effort to underscore the hazards of Verizon's procedure. However, that doesn't affect the validity of his article.
I personally would never use a banking, brokerage, or charge card [edit: or email] password for any other purpose. But, for other sites, I'm as lazy as he is ..
Wait, the author reusing a password means that it's not a problem that Verizon is storing passwords in plaintext? No, the point stands as claimed (unless it's refuted). Yes, the author did something dumb. No, he's not wrong about this because of that fact. And yes, this is an important post if true.
Users being lazy about security doesn't excuse companies from being lazy about security. I don't know if the latter is true in this case, but the line of thinking you have presented is surely flawed.
Best, since this is a website based authentication: Support system has a feature where CSR can pop up a text box to enter the password in (or at least generate a link to give to the customer); password entered is checked against hashed database password, CSR gets to see whether or not the password was correct.
Failing that, customer has to give CSR the password, CSR enters it, it is checked against hashed password (CSR sees plaintext but it could be arranged that it is never stored, which is better than storing all plaintext in a database).
I don't think he actually meant this was true. I think he was saying it just for that fact that it is true for many other people (at least that's what I gathered from the note in that section of the article).
They're referring to the 'billing system password'. I may be mistaken on this, but I think this predates a time when most people had online accounts, which can create confusion now that there are two things called a password. I remember struggling to figure mine out in the late 90s when I was changing some account settings at a store. I got the impression this password really isn't meant to be very secure (it's usually just the last digits of your SSN), and is used to make account changes.
She should have figured out right away that he was confusing his log-in password with the billing password and explained the difference.
Reading the chat log, I failed to pick up the problem, and I am a Verizon customer. A few times talking to a Verizon rep, I've been asked for the last four of my SSN. I have to remember to give 0000. That's because, when I first signed up, I didn't want them storing my SSN post credit-check, and they complied.
However, I don't ever recall being asked for a "billing password". Maybe that's because mine is still the numeric 0000. Perhaps Pranaya set up an alpha one at some point and forgot, then got confused by the word "password".
They were definitely just asking for your security phrase, not the password for your online billing account.
As an AT&T customer, I know having one of these "passwords" is optional. If you choose to have one as an added level of security (in addition to the last 4 of the account holders social), you can add it to the account. Again, it can be completely different from your online login passowrd and is usually something simple that can be said/understood over the phone.
I found this whole article kind of funny. The rep must have been so confused as to why this customer was getting so hysterical over such a common thing.
It isn't your password they wanted (which is what you use to login to the site), she was asking for your "PIN" which is a code they ask for whenever you want to make changes to your account through a store representative, on the phone, or in this case, the online chat window. When you're in the store, you don't type it in to anything, you tell it to the person who is looking at it on their computer screen. The problem was she was confusing you by asking for your password.
I had an almost identical conversation w/a Sprint agent a couple of days ago, where she clearly wanted my site login password (she'd already gotten the account verification code).
After pressing the issue and refusing to provide it, she walked me through the steps needed to resolve my issue. My feeling was, esp after reading this, that they are probably using the same or a similar 3rd party to provide their live support and those 3rd parties are now finding that it's easier to log in as users and fix their issues vs trying to walk users through the various steps to fix it themselves. It probably brings their support times down - I seriously doubt they care about user security.
Or heck, maybe it's a malicious attempt to get passwords... heck if I know, just a theory. Seems like the easiest explanation. Still, unacceptable.
Still better than with Virgin Mobile, who enforce 6 digit numerical-only passwords, and whose login screen has no flood control. There's absolutely no way to have a secure account.
Your password is not safe with anyone. Use a unique, strong password for everything.
While I agree, that is more easily said than done for most folks. Looking through my Keychain file, I have almost 850 internet password items. Assuming that about a third are duplicates (www.site.com vs site.com for example) that's still well over 500 different sites I have passwords for. Because I'm comfortable with Keychain, I let it generate strong passwords for me (I frequently associate custom email addresses with those passwords as well since I own aunch of domains). Whenever I try to get others to use various password managers, they get confused and eventually fallback to writing passwords down or using the same password across sites.
