Being in tech support, I can see a user's username and password. Sometimes, these are quite amazing considering that often users will contact us because they can't remember them.

I've found usernames and password that are based on obscenities.

I'm dreading the day when I get a call asking for a password and I have to tell the user that it's something like "f___you."

I had a user once whose son set up the user profile. The guy couldn't remember the username, but remembered enough of the password to stop me from spelling it out so I could change it for him. It was something like "lovetits."

It irks me. Oh, well, it's just part of the job, I guess.

At least your customers actually use them or try to hang onto them.

Some of mine expect me to remember their passwords for them. I maintain some 300+ computers and you expect me to remember yours 6 months from now? Heck, most can't even remember where they put their printer cd. How they remember my phone number is beyond me.

Yeah, it's a damn shame but they ALWAYS remember the phone number.

Any system that stores plain text passwords (even if only visible to so-called "trusted" tech support or admins) is broken from a security perspective.

Ah, but being in the support team, I have access to the encrypted database so I can see in what appears to be plain text, the usernames and passwords.

Ah ok.  Sorry, I meant that access to plain text passwords, via whatever mechanism, is poor form really.  It should be a so-called "one-way" encryption, so that you can blow away and reset a password but never see the decrypted version (well, for "normal mortals"...ignoring brute force number-crunch attacks).

when I was taking calls I used to love asking people to come up with NEW passwords. I wasn't able to see their passwords in plain text for most of our systems, but giving them the option to come up with one on the spot can lead to some very interesting conversations.

Quote from: Leslie Ann on August 04, 2009, 08:19:34 PM
Some of mine expect me to remember their passwords for them.

well, I had one lady that I talked to every day at around 5pm. every day!! and it did get to the point that I would no longer need to reset her password, I would just tell her what I set to it yesterday (and the day before, and the day before that....) 

---

Post Merge: August 05, 2009, 11:52:20 AM

---

Quote from: finewine on August 05, 2009, 09:43:42 AM
Any system that stores plain text passwords (even if only visible to so-called "trusted" tech support or admins) is broken from a security perspective.

half of my users store their passwords in plain text. written on a post it stuck to their monitors!   

lol!  Yeah that's pretty broken alright hehe

Being a bad IT guy, my passwords are stored in plain text in my Palm, but that file is in turn protected by a password quite different from any of my myriad passwords.