[GigabyteCoin]

What's to stop me (possible hover CSR, co-worker, whatever) from simply reading a high-profile customer's password and transferring all their million dollar domain names to me later that night when I get home from work?

I have a pretty good memory. I bet I could remember 5-10 simple passwords and email addresses without writing anything down. Chances are the idiots use the same password for their email anyways.

Muahahaha, I'm rich, and your company is going down the tubes in a lawsuit. See you later!

[freejack]

Industry secret - at the most basic level, registrar and registry staffers don't need access to a customer account to manipulate a domain name. We've implemented tons of controls to manage who can do what, etc. but relying on customer passwords to safeguard domain names from internal tampering isn't really a great tactic.

[pavel_lishin]

What about the same scenario, but instead of altering domain records, a CSR logs into the customer's e-mail account, or bank account, and starts wreaking havoc?

[Dylan16807]

What? If it's the same scenario then the CSR does not and never did have the password, they just have domain control panels. The whole point is that they can't do that.

[pavel_lishin]

I mean the scenario posed by Gigabytecoin, in which a CSR can read my password in plain text.

[Dylan16807]

Oh. Well why would you ask freejack in particular about that? That's not how their security is set up.

[pavel_lishin]

Is it not? Passwords are in plain text in a database; I didn't see any comments where he said CSR's don't have access to them, he merely said that CSR's don't need access to them to muck around with their stuff.