Posted on July 16, 2007
Filed Under Internet, Miscellaneous | 8 Comments
I’m in the process of switching my mobile plan from Verizon Wireless to Sprint. While verifying my identity during several calls to customer service, I was very surprised that the reps asked me for my account password as part of the questions. No one should ever ask for this information, and you should never provide it if asked! With most* online services, all you need is a username and password to get complete access to an account. This gives the rep complete access without an audit trail, should the rep wish to conduct abuse (unlikely, but a highly unsecure process nonetheless.)
* More and more online services, especially financial institutions, are requiring information in addition to your username and password before granting account access. However these cases are still few and far between.
It’s bad enough that we all have our social security numbers and credit card numbers floating around as easy fodder for identity theft, so we should avoid giving away the keys to the kingdom while we’re at it.
This was timely as there have been some blog posts lately regarding websites whose internal system constraints or politics (my own assumptions) force less secure passwords (ironically, the post I linked to is about a financial service). After having it drilled into my head over the years (and coming to the same conclusion myself) that a 6-character password doesn’t provide appropriate security, it’s too bad that some websites actually won’t let you choose longer ones.
Back to Sprint - I hope they reconsider their policy around establishing customer identity on the phone. At a minimum, asking for your password undermines efforts to establish trust in an increasingly online and digital world.