Passwords, or just semi-secret passphrase?

As my friend Matt Topper posted (only because he begged me to let him post first–I can’t stand seeing grown men cry), we’ve both experienced a number of cases lately where we’ve been disappointed by security practices we’ve observed. My personal pet peeve is when I call my cell phone provider and they attempt to verify my identity by asking for the password on the account. Now, I know what they’re asking for and I do have an online password that I use when visiting the website, but I instead tell them that I don’t know the password. They are just as happy to verify me by the last four numbers in my SSN (which is another rant for another day). Anyway, I comply and as soon as I’ve been “verified” by this method, they read me the password on the account.

My primary gripe is not so much that they read me the password (which is stupid and wrong), but that they *could* read me the password. Why oh why is the password stored in any way that is retrievable? As Matt pointed out, there are almost countless, very well-documented ways to store passwords such that they are safe and non-retrievable (by the customer service reps or anyone else). I am not completely insensitive to the company’s issue when someone like my mother calls up because she forgot her password and just wants them to reminder her what it is. However, I think it is silly that she had to call them–the “forgot password” link should verify identity and allow her to reset the password on the spot or email a validation link to her unique email address.

So, my point is that there are many, many ways to protect me and my information, but it’s extremely frustrating to have to deal with vendors that just haven’t caught up with the last 30+ years of low-hanging fruit. If anyone from Sprint PCS IT is listening, please, oh my God please, fix this.