I'm sure 1&1 actually does encrypt the password, otherwise the tech support guy probably would have just opened up tim_rogers.txt and found his password there.
This sounds like 1&1 just doesn't have a real customer support story and should probably just be avoided if possible. Or find somewhere that lets you provide 2 part security (ie, one for personal access and another for support access).
Author of the post said they should have some backend, and maybe they do, but I think the biggest problem was that they wanted him to authenticate himself as genuine with them by providing his password... they should have some other way to verify his identity without that.
(This is my personal opinion as a security professional and not the opinion of my employer)
I agree with your first point, or at least I'd imagine so. I've heard it suggested though that they don't so who knows!
To me, it seems like they just have a badly thought out verification process when they should be doing something else - for instance, they could just the last four digits of your payment card or some other piece of relatively secret information. You have indeed crystallised what my issue is in this situation there!
