The Dutch branch of ISP Tele2, an European ISP that is active in 11 countries, has just admitted that they use the same password for all new subscribers. Their procedure goes like this:

  • When a new subscriber signs up, they can choose a login or are assigned one.
  • They are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated.
  • The password is changed monthly instead of being generated randomly; that means all subscribers that signed up in the same month will have the same password!
  • The letter doesn’t mention the need to change this password anywhere…

With the correct login and password, you can, amongst others, view and change the customer’s contact details and view their billing history. To make matters worse, the monthly password is easy to guess; for example, this month the password is “welkom” (welcome).

Upon the first login, you are asked whether you want to change your initial password, but this is not mandatory, and Tele2 says up to 60% of their subscribers don’t change the password when first asked to. In a response to the Dutch security website that first reported this, a spokesperson for the company said that they might consider making the password change mandatory, and that they will add additional language to the welcome letter explaining that it is important to change the password.

This will obviously not help; if you want to, you can guess the logins and access the account before the user him- or herself does and change it for them. Since you don’t need the account info to make your DSL connection work, I expect that most people will never find out that their password doesn’t work at all…

If Tele2 manages to find somebody that has a clue about security, I’d like to suggest another improvement besides their password policy: adding https support to their webmail. It’s bad enough that you are not automatically redirected to a secure logon page, but not even offering it as an option is simply amazing.