|
|
|
|
|
|
by cynwoody
4856 days ago
|
|
|
The fact that he had successfully logged in should have been good enough for that purpose. At most, a paranoid system might be designed to require a second login before a sensitive change, on the theory that a screen might have gone unattended. The outcome of that second logon (success or failure) is all that should be shown to a service rep. The system should immediately destroy the password after hashing it for comparison to the value stored in the database. This technique is decades old. However, I know of vendors who do store raw passwords. This is because I have been asked to change passwords of long standing that do not stand up to silly new rules about variety of character classes, etc. If they were one-way hashing, they could not have known my old password didn't pass muster. |
|
|
Someone might have lifted his account password and logged into the website with it impersonating him on the chat, and so it only makes sense to then confirm identity by challenging for that password over the same chat where he is being impersonated... hey wait a second!