In lectures I've given and in classes I teach to network admins, I emphasize that people should never give their passwords to anyone. Your password and user name identify you to the network or servers. They are your digital ID and as such should be hidden through irreversible cryptography and protected from unauthorized alteration. But alas, as a customer I have dealt with two organizations, which will remain anonymous, that don't follow either principle.
Customer reps at my cell phone service provider always ask for my account password--the same password used to access my online account and authorize cell-phone plan, equipment and software purchases. I cringe every time I give it, fearing phone phreaks are tapping the call centers and gathering passwords.
One of the banks with which I do business just completed a migration from one online account system to another, which required a re-enrollment of all users to synchronize credentials. Of course, my re-enrollment didn't go smoothly, so there I was, again, reading off my vitals over the phone. Only this time, anyone capturing my banking information could have had much more fun.
The link for this article located at securitypipeline.com is no longer available.
