https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883595#M88712 <P>That's true, I hadn't considered that possibility. Is that what Plusnet claim to do?</P> <P>&nbsp;</P> <P>It seems like an odd way of doing things though when there are lots of other security questions that could be asked.</P> Mon, 15 Aug 2022 08:33:48 GMT sdhuk 2022-08-15T08:33:48Z https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883504#M88710 <P>I was just asked by customer services to give two digits of my password, which means that it must be stored as (or retrievable as) plain text.</P> <P>&nbsp;</P> <P>There is no excuse these days for not salting / hashing passwords.</P> <P>&nbsp;</P> <P>The falls well short of the Information Comissioners Office Guidance on storing passwords now that GPDR is in force:</P> <P>&nbsp;</P> <P><A href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/" target="_blank" rel="noopener">https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/</A></P> Sun, 14 Aug 2022 14:40:50 GMT https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883504#M88710 sdhuk 2022-08-14T14:40:50Z https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883585#M88711 Must it? You sure about that?<BR /><BR />It is not impossible for specific two letter combinations to be stored as a hash in isolation from a hash of the whole password. Mon, 15 Aug 2022 07:51:27 GMT https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883585#M88711 Townman 2022-08-15T07:51:27Z https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883595#M88712 <P>That's true, I hadn't considered that possibility. Is that what Plusnet claim to do?</P> <P>&nbsp;</P> <P>It seems like an odd way of doing things though when there are lots of other security questions that could be asked.</P> Mon, 15 Aug 2022 08:33:48 GMT https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883595#M88712 sdhuk 2022-08-15T08:33:48Z https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883742#M88716 <P>I do not know what Plusnet does (or does not do) - this issue has been raised before and there have been assurances that full password decryption does not happen.</P> Mon, 15 Aug 2022 22:39:15 GMT https://community.plus.net/t5/Plusnet-Feedback/Plusnet-Password-Security-Vulnerability/m-p/1883742#M88716 Townman 2022-08-15T22:39:15Z