cancel
Showing results for 
Search instead for 
Did you mean: 

Is having my PlusNet account password stored in router a security risk?

myredhotcar
Grafter
Posts: 457
Registered: ‎06-11-2013

Is having my PlusNet account password stored in router a security risk?

Disclaimer: I've searched the forums with no luck, and this might be a stupid question  Tongue
It seems that it is standard with PlusNet to use your account password - the one to the main site where all billing details are stored - as the login password on the router, like so:

I am aware that it isn't necessarily particularly difficult to crack the security on routers, and that not broadcasting your AP name/MAC filtering offers no real protection when it comes to having a network cracked, but wireless is a necessity for me as not all my devices support wired connections. Therefore, it strikes me as odd that the password I use to login to PlusNet (indeed, all my credentials for the site) are on a device that is happy to announce its presence to anyone close enough to pick up the signal (of course omitting the online threat). Unless I am being exceptionally stupid I haven't yet found an option to change this behaviour.
So my question, to anyone with more networking nous than myself, is how much of a security threat is this, if at all? Is it not akin to having my Amazon credentials being beamed about the place? Is the password stored in the router as plain text or an easy to crack format (e.g. in a .cfg file), and can I change the router password independently of my main PlusNet password?
Thanks for your time (unless you have simply read the thread without replying, in which case I am at best ambivalent about the time you have spent  ;))

7 REPLIES 7
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Is having my PlusNet account password stored in router a security risk?

Good question and would be interesting to know the answer and/or if we could set a different password for the router to the rest of the logons.
What you might want to do is a backup of the router settings then open it with Notepad and search for your password.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Is having my PlusNet account password stored in router a security risk?

Within an old netgear router, yes the password will be stored in plain text. (In the Technicolor 582n, the ppp username and password are stored encrypted, if you save the settings to a file you can see they start with _DEV3_ then a load of hexadecimal digits. Although storing them using encryption might not really make any difference if you can easily retrieve at least the username if you can login to the router with the admin password.)
Is that a big security risk? Not really. How is someone going to get the password out of the router? Normally you would need the WPA key to connect to the wireless, and the router's admin password to access the settings in the router. You need the router password to put a netgear router into debug mode (to access the adsl stats via telnet), but after you've done that, no password is needed to telnet into the router from within your LAN.
You can't hide the wireless signals, so removing the network name from most (but not all) of the packets transmitted adds about as much security as removing the house numbers from your front door would do for improving your home security.
A wireless network should be adequately secure if you use a long, difficult to guess wireless passphrase, set the network to WPA2 only, and disable WPS.
myredhotcar
Grafter
Posts: 457
Registered: ‎06-11-2013

Re: Is having my PlusNet account password stored in router a security risk?

Thanks for the answers so far.
@picbits:
With my DG834GT the password is stored in the .cfg in plain text and is pretty obvious when I open it with gedit. I would appreciate the option to change this password independently of my account password.
@ejs
Couldn't the WPA2 protection be cracked using a sniffer and other tools? If so wouldn't the same go for the user-name and password of the router? I have WPS disabled and my password is relatively strong (a dictionary attack would fail at least), but I am uneasy knowing the data is sat there on the router. I know a person would not be able to access all my card details as some of it is blanked out automatically but doesn't the same go for Amazon? With Amazon, if I want to add a new address (I assume a fraudster would not want stolen goods delivered to my postal address) I have to re-enter the full card number, but I would still be unhappy knowing that someone could access the existing data.
Does anyone from PlusNet have any input? Is there a way to change the router password independently of my account password?
Strikes me as a bit odd and needlessly cavalier, 'tis all.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Is having my PlusNet account password stored in router a security risk?

Quote from: myredhotcar
Couldn't the WPA2 protection be cracked using a sniffer and other tools?

No. Or at least not quickly. Why not try it for yourself with aircrack-ng.
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: Is having my PlusNet account password stored in router a security risk?

Quote from: myredhotcar
Is there a way to change the router password independently of my account password?

Many other ISPs do exactly the same thing.  The password your router uses to authenticate your internet access is the same password you use to access your account details online.  As such, I don't think there is anything you or Plusnet can do.
Suppose somebody cracks your Plusnet password.  What are they going to do with it?  They'll most probably just send out a few spam emails.  That's what happened to the BT clients who had their passwords cracked or stolen.   
myredhotcar
Grafter
Posts: 457
Registered: ‎06-11-2013

Re: Is having my PlusNet account password stored in router a security risk?

Thanks for the input folks, the general consensus so far seems to be that to acquire my details someone would need time, software and inclination; not a great deal could be done with it anyway; I might be paranoid  Cheesy I was already aware of these points though.
@ ejs
It seemed easier to post a question on this forum to be honest, where others know  far more than I in this area. I'm unsure if time needed to crack my password being a defence would be a primary concern though. 
@ ReedRichards
I am aware of this but I wonder if all do? I don't have vast experience with ISPs. Maybe it's the norm. To be fair would choosing two passwords - or having the option to choose a second once online - be massively complicated for an ISP? If someone cracks my password they can't do much. Maybe place an order for a fibre upgrade (I don't if this is possible without some form of additional security), unless you need a card set up, which I don't as I pay DD. But why should we worry about our logins for any sites, except maybe online banking?
This isn't a huge issue for me and I won't lose sleep, simply curious.
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: Is having my PlusNet account password stored in router a security risk?

BT don't use this system but it has not got them anywhere.  Their routers use a generic login and authentication is tied to the telephone number.  In spite of this precaution, I keep encountering BT clients who have had their passwords compromised; many more than with all other ISPs put together.