Passwords and learning from others mistakes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Passwords and learning from others mistakes
Passwords and learning from others mistakes
13-12-2007 2:43 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You may have noticed the recent press about Fasthosts and their password problems (in short they stored users passwords unencrypted/unhashed, someone managed to hack in and steal the passwords).
I had cause to call up Plusnet tech support and was very suprirsed to be asked my password by the operative who answered the phone.
This suggested to me that either plusnet stored passwords in plain text, or that at least one plusnet employee now knows my password.
I wonder if Plusnet have any plans to move away from this method of storing passwords in plain or requiring users to supply them to operatives. (Part of me hopes that the employee was following Plusnet processes and not just harvesting passwords for their own nerfarious purposes).
I don't really need the Fasthosts problems to understand why being asked for my password is bad, nor am I so naive as to not understand how beneficial knowing the U/P of the user is to support. But in light of current problems at other places I wonder if the tide is changing and if Plusnet feel that they should do things differently?
Re: Passwords and learning from others mistakes
13-12-2007 3:07 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I assume that you have since changed your password?
See https://www.grc.com/passwords.htm for a difficult password.
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Passwords and learning from others mistakes
13-12-2007 3:17 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.
Re: Passwords and learning from others mistakes
13-12-2007 3:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Chris Interesting question and a very relevant one.
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.
Thanks for the reply, that instills a little more confidence. But operatives do get to see the whole password, though that access is logged?
Thank you.
Re: Passwords and learning from others mistakes
13-12-2007 3:29 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: axisofevil In what context were you asked for your password?
I assume that you have since changed your password?
I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).
Re: Passwords and learning from others mistakes
13-12-2007 4:30 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: phil4 I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).
I've realized that the widespread nature of the PlusNet site means that using a weak password is very bad. I tend to use a very weak password for non-financial related transactions.
On PlusNet I can sign in and see part of my sort code and part of my account number - but my full bank account name. Provided I'm not called John Smith, there are many searches that would give my full name and address.
I'm going to change my PlusNet password immediately!!!
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Passwords and learning from others mistakes
13-12-2007 5:40 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Could the system not be set so that only two random characters are shown to the agent for requesting the security check?
This would, probably, give many more people peace of mind.
Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still
Re: Passwords and learning from others mistakes
13-12-2007 5:43 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I appreciate the security concerns, however with the audit trail in place we cover the issues.
Re: Passwords and learning from others mistakes
13-12-2007 5:50 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Passwords and learning from others mistakes
13-12-2007 5:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've highlighted this thread to our Security Manager.
Re: Passwords and learning from others mistakes
13-12-2007 8:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Spider A better system would be that each staff member as a set of privileges and their own unique password.
This is already the case now.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Passwords and learning from others mistakes
13-12-2007 8:59 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Passwords and learning from others mistakes
13-12-2007 9:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Re: Passwords and learning from others mistakes
13-12-2007 9:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Passwords and learning from others mistakes
13-12-2007 9:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
There would still be occasions when they would need the full password. For example a "dial test" (on a test ADSL line they put the users login and password to check how the system behaves - needed if incorrect service offering problems are suspected).
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Passwords and learning from others mistakes