cancel
Showing results for 
Search instead for 
Did you mean: 

Passwords and learning from others mistakes

phil4
Grafter
Posts: 244
Registered: 13-12-2007

Passwords and learning from others mistakes

Dear Plusnet,
You may have noticed the recent press about Fasthosts and their password problems (in short they stored users passwords unencrypted/unhashed, someone managed to hack in and steal the passwords).
I had cause to call up Plusnet tech support and was very suprirsed to be asked my password by the operative who answered the phone.
This suggested to me that either plusnet stored passwords in plain text, or that at least one plusnet employee now knows my password.
I wonder if Plusnet have any plans to move away from this method of storing passwords in plain or requiring users to supply them to operatives.  (Part of me hopes that the employee was following Plusnet processes and not just harvesting passwords for their own nerfarious purposes).
I don't really need the Fasthosts problems to understand why being asked for my password is bad, nor am I so naive as to not understand how beneficial knowing the U/P of the user is to support.  But in light of current problems at other places I wonder if the tide is changing and if Plusnet feel that they should do things differently?
35 REPLIES
VileReynard
Seasoned Pro
Posts: 10,676
Thanks: 210
Fixes: 9
Registered: 01-09-2007

Re: Passwords and learning from others mistakes

In what context were you asked for your password?
I assume that you have since changed your password?
See https://www.grc.com/passwords.htm for a difficult password.

Plusnet Staff
Plusnet Staff
Posts: 17,641
Thanks: 535
Fixes: 159
Registered: 05-04-2007

Re: Passwords and learning from others mistakes

Interesting question and a very relevant one.
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
phil4
Grafter
Posts: 244
Registered: 13-12-2007

Re: Passwords and learning from others mistakes

Quote from: Chris
Interesting question and a very relevant one.
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.

Thanks for the reply, that instills a little more confidence.  But operatives do get to see the whole password, though that access is logged?
Thank you.
phil4
Grafter
Posts: 244
Registered: 13-12-2007

Re: Passwords and learning from others mistakes

Quote from: axisofevil
In what context were you asked for your password?
I assume that you have since changed your password?

I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).
VileReynard
Seasoned Pro
Posts: 10,676
Thanks: 210
Fixes: 9
Registered: 01-09-2007

Re: Passwords and learning from others mistakes

Quote from: phil4
I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).

I've realized that the widespread nature of the PlusNet site means that using a weak password is very bad. I tend to use a very weak password for non-financial related transactions.
On PlusNet I can sign in and see part of my sort code and part of my account number - but my full bank account name. Provided I'm not called John Smith, there are many searches that would give my full name and address.
I'm going to change my PlusNet password immediately!!!

Moderator
Moderator
Posts: 17,081
Thanks: 2,061
Fixes: 142
Registered: 06-04-2007

Re: Passwords and learning from others mistakes

I have never been asked for my full password when telephoning support, only the last two characters. I assumed, it seems wrongly, that the CS agent could only see those two characters.
Could the system not be set so that only two random characters are shown to the agent for requesting the security check?
This would, probably, give many more people peace of mind.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Plusnet Staff
Plusnet Staff
Posts: 17,641
Thanks: 535
Fixes: 159
Registered: 05-04-2007

Re: Passwords and learning from others mistakes

The question that then throws up is how do we perform diagnostics? We sometimes need to dialtest as a customer, or log on to a mailbox, or try logging in to the portal. Without the full password this wouldn't be possible.
I appreciate the security concerns, however with the audit trail in place we cover the issues.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Community Veteran
Posts: 1,100
Registered: 05-04-2007

Re: Passwords and learning from others mistakes

I would disagree. You may be able to trace who accessed the account but it would not stop the breach in the first place. A better system would be that each staff member as a set of privileges and their own unique password. They could then access the customers account (but only to the level set by the privilege) via this back door route and the access would be logged. The password in full should never be available on screen for anybody to see!
James
Grafter
Posts: 21,036
Registered: 04-04-2007

Re: Passwords and learning from others mistakes

Hi guys,
I've highlighted this thread to our Security Manager.
Community Gaffer
Community Gaffer
Posts: 13,006
Thanks: 792
Fixes: 70
Registered: 04-04-2007

Re: Passwords and learning from others mistakes

Quote from: Spider
A better system would be that each staff member as a set of privileges and their own unique password.

This is already the case now.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 1,100
Registered: 05-04-2007

Re: Passwords and learning from others mistakes

In which case why would a staff member need to see the customers password or have need to use it?
Community Veteran
Posts: 26,543
Thanks: 788
Fixes: 9
Registered: 10-04-2007

Re: Passwords and learning from others mistakes

As a way of confirming that the person they are speaking to on the phone is the account holder - which brings us back to where this topic started!
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 1,100
Registered: 05-04-2007

Re: Passwords and learning from others mistakes

This does not need a staff member to see the full password. The system could ask for 2 letters at random. The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.
Community Veteran
Posts: 26,543
Thanks: 788
Fixes: 9
Registered: 10-04-2007

Re: Passwords and learning from others mistakes

Good idea!
There would still be occasions when they would need the full password. For example a "dial test" (on a test ADSL line they put the users login and password to check how the system behaves - needed if incorrect service offering problems are suspected).
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)