Passwords and learning from others mistakes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Passwords and learning from others mistakes
Re: Passwords and learning from others mistakes
13-12-2007 9:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Passwords and learning from others mistakes
13-12-2007 9:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
To emulate the customers system it's done on a standalone PC with either a modem or router plugged in to a separate BT line with ADSL enabled. It will have no access to the internal Plusnet systems.
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Re: Passwords and learning from others mistakes
13-12-2007 10:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
One possibility. For each customer account there are two passwords, the customers own and an auto generated one. When the staff member needs to test the connection they login in to the main system and switch the password from customers to auto generated. They then use this temp password to carry out the tests. Once completed they switch the password back to the original. The customer as not had to reveal their password and the temp one is no longer any use because it would be superseded at the next test.
Re: Passwords and learning from others mistakes
13-12-2007 10:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Spider The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.
Isn't that what I suggested earlier.
Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still
Re: Passwords and learning from others mistakes
13-12-2007 10:51 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: jelv There would still be occasions when they would need the full password. For example a "dial test" (on a test ADSL line they put the users login and password to check how the system behaves - needed if incorrect service offering problems are suspected).
Can I suggest that the customer would be offered the opportunity of the following procedure:-
- PlusNet change the password to some "single-usage" password (decided by PlusNet).
- The user applies this to any router settings etc (as advised by PlusNet)
- When the problem has been fixed and the user signs on (using the new password), they are forced to change it.
- Ideally, PlusNet would never reuse any passwords generated by themselves.
Obviously, this would be too complicated for new or particularly short-tempered users
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Passwords and learning from others mistakes
13-12-2007 10:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Re: Passwords and learning from others mistakes
13-12-2007 11:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: jelv Given the trouble that a lot of users have configuring their routers with the username and password anyway (look at the top five call reasons in the EOD blog) I can see imposing a change of password which has to be done in three places (portal, modem/router and email settings) being very popular - not!
I've just done it - very tedious though!
I was only suggesting it as an option which could be offered to security paranoid users.
Can I suggest then, that you at least enforce mixture of upper/lower case and a numeric character in new passwords?
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Passwords and learning from others mistakes
14-12-2007 6:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Mav
Quote from: Spider The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.
Isn't that what I suggested earlier.
Not quite. I am suggesting that the staff member never sees the letters. They only know what to enter in the blank fields when the customer gives them. In both cases the system would decide which letters to use but in my suggest staff would only see 'Letter 2 from the password' with a blank entry box for example.
@Mav apologies if I miss understood your suggestion though.
Re: Passwords and learning from others mistakes
14-12-2007 3:45 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It's a nice model for websites and the like, but I can see how configuring an ADSL modem/router gets in the way of that.... so perhaps 2 passwords would be more sensible. One system generated for the ADSL modem (which most likely won't change too much once the user has settled in), and one for the portal/email/forums, which are where most of the sensitive info are.
Re: Passwords and learning from others mistakes
14-12-2007 4:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It is absoloutely imperative for CSC analysts to have access to customers passwords. This is not merely for DPA, but the number of queries we get reagrding customers not being able to log inito their mailboxes, portal and connection is always going to be one of the largest reasons for inbound contacts. As such, it is vital that they are able to see the passwords in order to troubleshoot.
We have had to take a compromise of these only being viewable on a separate page, allowing an audit trail, as opposed to hashing the password detail.
Re: Passwords and learning from others mistakes
14-12-2007 5:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Passwords and learning from others mistakes
15-12-2007 5:15 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Spider I am working on the assumption that Plusnet and the customer can't log in at the same time.
One possibility. For each customer account there are two passwords, the customers own and an auto generated one. When the staff member needs to test the connection they login in to the main system and switch the password from customers to auto generated. They then use this temp password to carry out the tests. Once completed they switch the password back to the original. The customer as not had to reveal their password and the temp one is no longer any use because it would be superseded at the next test.
My alarm company use this (ADT) I thinks its the way to go.
Are plusnet staff security vetted before they are given a job?
Puddy
Re: Passwords and learning from others mistakes
15-12-2007 8:44 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I assume that they have full access to your account information anyway, otherwise billing would be impossible.
Re: Passwords and learning from others mistakes
15-12-2007 8:51 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Are plusnet staff security vetted before they are given a job?
No, but we do all sign a non-disclosure agreement as part of our contracts meaning that release of any information would lead to legal proceedings.
Re: Passwords and learning from others mistakes
17-12-2007 12:45 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
PN staff with the correct priveledges can see whatever details are stored by them anyway.
Your password is for just one purpose:
Identifying you to PlusNet
Nothing more or less.
When you connect to your ADSL it tells them who you are and who to record the useage against.
When you log into the portal it identifies you as the account holder.
When you call up, it performs the same task.
I don't see that there is a problem with them being able to see your password, other than that they *could* pretend to be you.
They all get free BB anyhow, and they can't see anything more by seeing your password than they would if they couldnt see your password, so what advantage would they gain by logging in as you?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Passwords and learning from others mistakes