Over the last couple of evenings I've had the misfortune to have to call BT's Broadband support line owing to the fact that my connection was down. Okay this is a bit of a niggle in what otherwise seems to be a fairly good and stable service, but I must admit that I am most concerned over their security practices, most notably their protection of my password.
There are two issues that give cause for concern:
- Firstly, when attempting to login to service directly on the broadband router last night, I happened to notice that my password is displayed in plain text in the status bar - not good!
- Secondly, the support operative asked for my account password. This practice alone should be halted immediately, there should never be a need for a support operator or administrator to ask for someone else's account password for any system. He went on to state that he had my password there in front of him. This I find most worrying. I'm reasonably okay with the concept that a mail administrator could potentially get into my mail box if they really wished to, (hey my last grocery order from Ocado wasn't that exciting) but I am most perturbed to think that a support operative could stroll off to their local Internet café with my password and effectively masquerade as me on-line - Accessing my mail and sending mail as me.
Come on BT you are big enough to have good solid security practices in place. If anyone from BT can justify their operatives holding their customers' passwords then please feel free to comment on this post. I don't think that saying that they have to be able to handle a user forgetting their password will be good enough, as passwords can be reset.