topic plusnet still not hashing passwords in Plusnet Feedback

plusnet still not hashing passwords

wfl — Sat, 21 Mar 2015 22:35:19 GMT

What is going on, it's 2015 and plusnet are still not salt and hashing passwords. How does that meet with PCI compliance when they hold and process credit card info? I'm extremely disappointed to find Plusnet have still not addressed the serious failing having just been presented my password in the clear having followed the Fogotten My Password link

Re: plusnet still not hashing passwords

Strat — Sun, 22 Mar 2015 09:51:58 GMT

Interesting. I clicked the Forgotten My Password link and Plusnet sent me a password reminder email.
When I clicked the link in the email it took me to a page displaying my username and password.
To be honest I was expecting a password reset email with a link to a page enabling me to chose a different password.

Re: plusnet still not hashing passwords

x47c — Mon, 23 Mar 2015 19:40:21 GMT

probably because when doing a repair to a fault on your broadband the BTOR operative may have to have your password to be able to log in as you

Re: plusnet still not hashing passwords

pwatson — Mon, 23 Mar 2015 19:56:10 GMT

No, that's the purpose of the BT test login credentials!

Re: plusnet still not hashing passwords

jelv — Mon, 23 Mar 2015 20:25:46 GMT

Quote from: Strat
To be honest I was expecting a password reset email with a link to a page enabling me to chose a different password.

Great idea - not!
Would you like to guess how many people would reset their portal password and then find that their broadband connection was dead because the password in the router was wrong? What would make it worse that the broadband would only die when they reconnected which could be many days later so they wouldn't associate the lost connection with the password change.
Only once Plusnet start using different passwords for the portal and the connection authentication would this be a safe (and very good) suggestion.

Re: plusnet still not hashing passwords

Strat — Mon, 23 Mar 2015 20:32:00 GMT

It's fortunate that Plusnet account passwords don't get compromised then.

Re: plusnet still not hashing passwords

wfl — Tue, 24 Mar 2015 21:20:39 GMT

Now that's a better idea, different passwords for the members area and for your broadband log in. Then the member area password can be properly stored as a hash with no need for anyone to ever be able to read it. And there would be no excuse of engeneers might need it. Then add a proper password reset page.