Providers Should NEVER Ask for Your Password

Posted on July 16, 2007

I’m in the process of switching my mobile plan from Verizon Wireless to Sprint.  While verifying my identity during several calls to customer service, I was very surprised that the reps asked me for my account password as part of the questions.  No one should ever ask for this information, and you should never provide it if asked!  With most* online services, all you need is a username and password to get complete access to an account.  This gives the rep complete access without an audit trail, should the rep wish to conduct abuse (unlikely, but a highly unsecure process nonetheless.)

* More and more online services, especially financial institutions, are requiring information in addition to your username and password before granting account access.  However these cases are still few and far between.

It’s bad enough that we all have our social security numbers and credit card numbers floating around as easy fodder for identity theft, so we should avoid giving away the keys to the kingdom while we’re at it.

This was timely as there have been some blog posts lately regarding websites whose internal system constraints or politics (my own assumptions) force less secure passwords (ironically, the post I linked to is about a financial service).  After having it drilled into my head over the years (and coming to the same conclusion myself) that a 6-character password doesn’t provide appropriate security, it’s too bad that some websites actually won’t let you choose longer ones.

Back to Sprint – I hope they reconsider their policy around establishing customer identity on the phone.  At a minimum, asking for your password undermines efforts to establish trust in an increasingly online and digital world.

  • digg
  • Reddit
  • del.icio.us
  • Fark
  • Furl
  • NewsVine

Comments

Leave a Comment

If you would like to make a comment, please fill out the form below.

Name (required)

Email (required)

Website

Comments

3 Comments so far
  1. Stephen July 18, 2007 9:50 am

    My investment bank collects personal information in order to identify me and avoid asking my password when I call for help. I actually find it intrusive and silly because how many times have we been asked “What’s your mother’s maiden name?” or “What’s your dog’s name?”. For one thing, those who care to do damage are often those who know me already or cared enough to figure out these information with very little effort. Anyone who thinks these questions are full-proof are only fooling themselves!

    [Reply]

  2. Matt Cook July 31, 2007 7:41 am

    The bank I use has a really nice approach for telephone banking – they never ask for the whole password, simply 3 characters selected at random from within the password – e.g 1st, 4th and 6th – followed by a previously defined personal question. Unlike Stephen, I’ve never found it intrusive and I’d be really uncomfortable if they wanted me to give me whole password to a stranger over the phone.

    [Reply]

  3. RW August 7, 2007 5:11 pm

    Why did you leave Verizon?

    [Reply]