[martypitt]

I was astonished to discover about 18mths ago that MelbourneIT, Australia's largest Domain Registrar stores their users passwords in plain text, and display them to the customer service reps during calls.

I discovered this when on a phone call, the agent asked me what my password was, and when I refused to tell him (but offered any other aspect of my account for identity), it took a lot of convincing to get the rep to serve me. If I were malicious, I could speculate that a little social engineering may have gotten the employee to give me the password.

EDIT : To clarify, it was a comment the rep made about my password indicated that he could see my password in clear text on his screen. I asked him, and he confirmed this.

I tweeted the CTO [1], who advised me they were working on the problem, but it was still several months away from being resolved.

This level of insecurity from a major IT service provider was both shocking, and inexcusable in my humble opinion.

[1] https://twitter.com/marty_pitt/status/223622794490019843