[freejack]

Industry secret - at the most basic level, registrar and registry staffers don't need access to a customer account to manipulate a domain name. We've implemented tons of controls to manage who can do what, etc. but relying on customer passwords to safeguard domain names from internal tampering isn't really a great tactic.

[pavel_lishin]

What about the same scenario, but instead of altering domain records, a CSR logs into the customer's e-mail account, or bank account, and starts wreaking havoc?

[Dylan16807]

What? If it's the same scenario then the CSR does not and never did have the password, they just have domain control panels. The whole point is that they can't do that.

[pavel_lishin]

I mean the scenario posed by Gigabytecoin, in which a CSR can read my password in plain text.

[Dylan16807]

Oh. Well why would you ask freejack in particular about that? That's not how their security is set up.

[pavel_lishin]

Is it not? Passwords are in plain text in a database; I didn't see any comments where he said CSR's don't have access to them, he merely said that CSR's don't need access to them to muck around with their stuff.