ISP criticised for distributing the same password to all new users with no firm instruction to change it

News by SC Staff

A European ISP has admitted that all new subscribers are given the same password.

A European ISP has admitted that all new subscribers are given the same password.

The Dutch branch of Tele2 claimed that when a new subscriber signs up, they can choose a login or are assigned one and they are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated.

As the password is changed monthly instead of being generated randomly, all subscribers that signed up in the same month will have the same password.

Writing on the blog, author Martin claimed that the letter does not even mention the need to change this password anywhere, and with the correct login and password, you can, amongst others, view and change the customer's contact details and view their billing history.

He said that to make matters worse, the monthly password is easy to guess; for example, this month the password is “welkom” (welcome).

Martin said: “Upon the first login, you are asked whether you want to change your initial password, but this is not mandatory, and Tele2 says up to 60 per cent of their subscribers don't change the password when first asked to.”

In a response to the Dutch security website that first reported this, a spokesperson for the company said that they might consider making the password change mandatory, and that they will add additional language to the welcome letter explaining that it is important to change the password.

Martin said: “This will obviously not help; if you want to, you can guess the logins and access the account before the user him- or herself does and change it for them. Since you don't need the account info to make your DSL connection work, I expect that most people will never find out that their password doesn't work at all.

“If Tele2 manages to find somebody that has a clue about security, I'd like to suggest another improvement besides their password policy: adding https support to their webmail. It's bad enough that you are not automatically redirected to a secure logon page, but not even offering it as an option is simply amazing.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews