topic Re: Secure Password Storage in Plusnet Feedback

Secure Password Storage

FreneticMonk — Wed, 27 Dec 2017 11:55:57 GMT

I've just spoken to a very friendly person in customer services (great on that front) who asked for two characters of my password. I was a little taken aback since what company does that in 2017?

Does anyone know how they verify these characters? Presumably they're not held in plaintext since with GDPR coming up they'd be getting a rather hefty fine very soon. I've found one third party blog post which suggests how you could create a secure partial password verification process here, but with another human doing the verifying over an unsecure phone line there's an obvious flaw to the implementation.

Re: Secure Password Storage

jab1 — Wed, 27 Dec 2017 12:23:28 GMT

My energy provider asks for verification info over the phone, at least one other ISP I know does. I do not know, so could be wrong here and I know PN won't confirm or deny (for obvious reasons), but I would imagine the advisor is only presented with the characters they ask you to provide, and not the full data.

Re: Secure Password Storage

FreneticMonk — Wed, 27 Dec 2017 14:04:16 GMT

I would expect PN to verify my identity, but I don't expect them to ask me to compromise my online account password in the process. Most companies are happy to confirm that they store all passwords as a salted hash, as should be standard, so if PN decline to comment we can only assume the worst case scenario.

I don't have so much of a problem with customer services seeing part of the password (although this is an issue), but if the data is stored in either plain text or with a reversible encryption method then any data breach would result in more information being exposed than necessary.

Re: Secure Password Storage

ScottStorey — Wed, 27 Dec 2017 23:26:00 GMT

It's not hashed. It can't be, if it was, CS wouldn't have any characters.

It's either encrypted and reversable or just plain text.

Re: Secure Password Storage

FreneticMonk — Thu, 28 Dec 2017 00:43:21 GMT

Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?

Re: Secure Password Storage

Alex — Thu, 28 Dec 2017 00:57:13 GMT

The only way I can see it is:

The passwords are encrypted with something like MD5 - which can be reversed engineered.
Plain text. I'm not being sarcastic but I had an on-line company about 10 years ago had their plain password table hacked and then we were told to change our passwords. Worse case scenario.
The 2 letters are stored in a separate table or field linking to the primary key of the password table. A way I would implement it is to have a trigger to update those fields when the main password field (from the other table) would change. Before encryption has been performed. Produce the two letters then encrypt the whole password into main password table. Then any letter check would have to come from those two fields not the encrypted password table. If you decide to change password via the Portal, then the update coming from there would update the letter check field.

It could be even better than that, when a new password trigger is activated, get the length of the new one and select two random chararacters and update the checksum database.

Can't really have more than two though I guess or you can argue it has your whole uncryted password.

Re: Secure Password Storage

jab1 — Thu, 28 Dec 2017 07:34:09 GMT

@FreneticMonk wrote:
Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?

I'm happy - so far as I'm aware, PN have only had their password storage hacked once - before I became a member - and at that time, I am given to understand, had some really bright people on board, so I'm guessing there was some effective action taken.

Just think yourself lucky you're not with TalkTalk, they leak like a colander.

Re: Secure Password Storage

Oldjim — Thu, 28 Dec 2017 08:53:37 GMT

password storage wasn't hacked - it was webmail a long time ago https://community.plus.net/t5/Plusnet-Blogs/Webmail-Incident-Report/ba-p/1313738

this post answers the original question https://community.plus.net/t5/Plusnet-Feedback/Plusnet-password-visible-to-call-centre-staff/m-p/1012452#M42589

Re: Secure Password Storage

jab1 — Thu, 28 Dec 2017 09:00:34 GMT

Thanks for the correction, @Oldjim - as I said, it was before my time here, and Iwasn't aware of the full details. So it wasn't anything really worrying.

Re: Secure Password Storage

Alex — Thu, 28 Dec 2017 09:39:07 GMT

jab1 wrote:
Just think yourself lucky you're not with TalkTalk, they leak like a colander.

I know @jab1, it is always concerning (to PlusNet I mean) whether PlusNet will be subject to an attack, being quite a high profile place.

I've worked for companies who you wouldn't know of, who were worried about the same thing.

You still get high profile companies hacked. Happened before, and will happen again.

P.S. On a lighter note, this thread does remind of the Harry Enfield sketch "You don't want to to it like that, you want to do it like this!".

Let be honest, how many people on here have bumped into people like that. I mean staff and non-staff too.

Re: Secure Password Storage

ejs — Sat, 30 Dec 2017 18:52:10 GMT

MD5 is not an encryption algorithm, it's a hash function.

This issue has been raised a few times before.

The problem probably originates from using the same password to access your account on the Plusnet website and for the PPP connection the router makes. Both ends of the PPP connection need to know the plaintext of the password.

So before you start considering better ways to store the password, you need to have different passwords for the account and for the PPP connection.

Re: Secure Password Storage

malky3200 — Fri, 04 May 2018 10:02:23 GMT

I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer. The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised

1- Of course I immediately changed my password.
2- I asked plusnet "When will you be encrypting the passwords ?"
answer : "April the 17th 2018"
3- On the 19th of April I called back and asked if the passwords were enrypted or not. After the getting past the inevitable irrelevance of "we can only see 2 characters". The answer was "don't know", then on further investigation I was told that they had implemented the encryption of all account passwords on April the 17th 2018.
This does verify what I was told a month before. Therefore my guess is they have encrypted passwords, although clearly they can be reversed engineered, as they still ask for the 2 characters.
4- I changed my password once more.

If your password has not been changed since the 17th of April 2018 then in theory you are still vulnerable. Since no one of course knows if your password was read and captured before the 17th.
So if you are going to play it safe and change the plusnet password then be sure to also change on any email client that may be using the account password by default. And if you have a non-plusnet router you will need to change the plus net account password there also (not to be confused with the router password)

So on a day where twitter have done the right thing still there is no mention or even a hint of plus net customers being recommended to change their passwords. I have asked plus net this twice and they appear to have no plans to inform their customers. Looks like plus net are doing the "Hope Approach".

Re: Secure Password Storage

Alex — Fri, 04 May 2018 10:05:40 GMT

The best course of action in my opinion is to use a separate password for each account you have. With so many on-line accounts requiring passwords it can be a nightmare I know.

You have no control (not just talking about PlusNet - any company) on how they store it and how secure their platform is.

So if your PlusNet password were to be hacked, that is it. Only any use there and not elsewhere.

I keep an Excel sheet of my passwords for each company I use.

Re: Secure Password Storage

malky3200 — Fri, 04 May 2018 11:05:15 GMT

you'd be better using a encrypted password safe program
an Excel spreadsheet is hardly secure
plus a password safe/encryption program is very good indeed at generating strong passwords
in addition they are easier to use as such programs have functions that help with the process in ways that excel cannot

Re: Secure Password Storage

JonoH — Fri, 04 May 2018 11:25:44 GMT

@malky3200 wrote:

I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer. The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised

I'm sorry that you were misinformed by one of our agents, whilst we generally for security purposes won't comment on our security methods I'm happy to debunk this myth. I'll be really clear but won't for reasons previously stated comment further.

We go to great lengths to ensure we protect and secure our customer data. Passwords are, and always have been, encrypted in our database.

We take the protection of our customers’ data extremely seriously and have a number of robust and resilient measures in place, which we constantly test and review

Re: Secure Password Storage

malky3200 — Fri, 04 May 2018 12:43:40 GMT

if I was misinformed.... then for the record it was 2 of your agents, several weeks apart.

In fact one stated the default email is in clear text which would certainly corroborate other reports from users.

The default email password is of course for many users also the account password.

So for the record - what was the job that was carried out relating to passwords and encryption on the 17th of April ? Or did both agents get this wrong also ?

Re: Secure Password Storage

JonoH — Fri, 04 May 2018 12:50:34 GMT

@malky3200 wrote:

if I was misinformed.... then for the record it was 2 of your agents, several weeks apart.

I know, I'm sorry that you were misinformed.

So for the record - what was the job that was carried out relating to passwords and encryption on the 17th of April ? Or did both agents get this wrong also ?

It was an improvement to our security practices, that we will not discuss further. Sorry.

Re: Secure Password Storage

malky3200 — Fri, 04 May 2018 13:59:36 GMT

fair enough

regardless I'm pretty sure I know what it is - As I was told on the phone, more than once
But I guess we'll never know if that is correct. I'd still change my password for that, for sure.

All I wanted to know at the time was
1 - do you store the passwords as clear text, I was told yes. (then again I did need to suggest a yes or a no was all that was relevant)
2 - when will you encrypt them in the DB, the answer of the 17th it now appears is the other reason, which I would not be mentioning either, fair enough.

Did I miss something or does plus net have a statement on this on the web ? I did ask on the calls and I was told no, but worth asking here I guess.

Re: Secure Password Storage

ConcernedUser — Sun, 13 May 2018 14:19:18 GMT

Came here after chatting with the support to start exactly the same topic only to see that someone already did.

Here is what we know:

- Customer support confirmed that they can check if 2 characters in your password are valid.

- Customer support asks different characters randomly

- After changing your password they can still validate characters in your new password.

- it's technically impossible to check separate letters in a secure, hashed and salted password.

It does not really matter how exactly they store passwords, it might be plaintext or XOR or any other crazy and insecure approach. Regardless, they encryption is reversible and it means that:

- Hundreds pf plusnet employees have access to your password

- Support has access to your passwords indirectly - by asking different letter each time they can eventually

- Hackers can steal full password database

- People who use the same password for more than one account(I'd estimate this number at up to 90%) can lose

- Millions, maybe tens of millions users are in a grave danger - they could lose access to everything - their social network accounts, their bank accounts, their email and any service they ever registered with the same account. They are at risk of fraud and identity theft.

It's a MASSIVE, INSANE security issue.

GDPR becomes enforceable on 25 May 2018.

All companies must guarantee the safety of the user data by then or face quite significant fines.

I suggest handing Plusnet GDPR Subject Access Request on that same day and they will have to respond within 30 days.

Re: Secure Password Storage

Strat — Sun, 13 May 2018 14:49:41 GMT

Moderator's note by Dick (Strat): Post released from Spam Filter.