Passwords and learning from others mistakes

Spider · ‎05-04-2007

The next development would be an auto test that uses the customers login and password. Same again there would be no need for staff to see the password. They would only be able to run the test if their logon privileges lets them.

jelv · ‎10-04-2007

How?
To emulate the customers system it's done on a standalone PC with either a modem or router plugged in to a separate BT line with ADSL enabled. It will have no access to the internal Plusnet systems.

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

Spider · ‎05-04-2007

I am working on the assumption that Plusnet and the customer can't log in at the same time.
One possibility. For each customer account there are two passwords, the customers own and an auto generated one. When the staff member needs to test the connection they login in to the main system and switch the password from customers to auto generated. They then use this temp password to carry out the tests. Once completed they switch the password back to the original. The customer as not had to reveal their password and the temp one is no longer any use because it would be superseded at the next test.

Mav · ‎06-04-2007

Quote from: Spider
The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.

Isn't that what I suggested earlier.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

VileReynard · ‎01-09-2007

Quote from: jelv
There would still be occasions when they would need the full password. For example a "dial test" (on a test ADSL line they put the users login and password to check how the system behaves - needed if incorrect service offering problems are suspected).

Can I suggest that the customer would be offered the opportunity of the following procedure:-

PlusNet change the password to some "single-usage" password (decided by PlusNet).

The user applies this to any router settings etc (as advised by PlusNet)

When the problem has been fixed and the user signs on (using the new password), they are forced to change it.

Ideally, PlusNet would never reuse any passwords generated by themselves.

Obviously, this would be too complicated for new or particularly short-tempered users

"In The Beginning Was The Word, And The Word Was Aardvark."

jelv · ‎10-04-2007

Given the trouble that a lot of users have configuring their routers with the username and password anyway (look at the top five call reasons in the EOD blog) I can see imposing a change of password which has to be done in three places (portal, modem/router and email settings) being very popular - not!

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

VileReynard · ‎01-09-2007

Quote from: jelv
Given the trouble that a lot of users have configuring their routers with the username and password anyway (look at the top five call reasons in the EOD blog) I can see imposing a change of password which has to be done in three places (portal, modem/router and email settings) being very popular - not!

I've just done it - very tedious though!
I was only suggesting it as an option which could be offered to security paranoid users.
Can I suggest then, that you at least enforce mixture of upper/lower case and a numeric character in new passwords?

"In The Beginning Was The Word, And The Word Was Aardvark."

Spider · ‎05-04-2007

Quote from: Mav
Quote from: Spider
The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.

Isn't that what I suggested earlier.

Not quite. I am suggesting that the staff member never sees the letters. They only know what to enter in the blank fields when the customer gives them. In both cases the system would decide which letters to use but in my suggest staff would only see 'Letter 2 from the password' with a blank entry box for example.
@Mav apologies if I miss understood your suggestion though.

phil4 · ‎13-12-2007

We use something here very similar to the way Windows Domain Controllers work.... ie. the Domain Admins can never see a users login, they can only change it. So Domain Admins can reset a password to something known and do any testing, checks etc. But the user is safe in the knowledge that their uber secret password (which they may have used elsewhere) is still secret.
It's a nice model for websites and the like, but I can see how configuring an ADSL modem/router gets in the way of that.... so perhaps 2 passwords would be more sensible. One system generated for the ADSL modem (which most likely won't change too much once the user has settled in), and one for the portal/email/forums, which are where most of the sensitive info are.

James · ‎04-04-2007

Totally understand any concerns raised here.
It is absoloutely imperative for CSC analysts to have access to customers passwords. This is not merely for DPA, but the number of queries we get reagrding customers not being able to log inito their mailboxes, portal and connection is always going to be one of the largest reasons for inbound contacts. As such, it is vital that they are able to see the passwords in order to troubleshoot.
We have had to take a compromise of these only being viewable on a separate page, allowing an audit trail, as opposed to hashing the password detail.

Spider · ‎05-04-2007

In other words customer uses wrong password or mistypes it. Plusnet checks the customers records and advises them of the correct password to use.

puddy · ‎10-06-2007

Quote from: Spider
I am working on the assumption that Plusnet and the customer can't log in at the same time.
One possibility. For each customer account there are two passwords, the customers own and an auto generated one. When the staff member needs to test the connection they login in to the main system and switch the password from customers to auto generated. They then use this temp password to carry out the tests. Once completed they switch the password back to the original. The customer as not had to reveal their password and the temp one is no longer any use because it would be superseded at the next test.

My alarm company use this (ADT) I thinks its the way to go.
Are plusnet staff security vetted before they are given a job?
Puddy

J_i_m · ‎01-08-2007

Is there any reason that you don't want PN staff to know your password?
I assume that they have full access to your account information anyway, otherwise billing would be impossible.

orbrey · ‎18-07-2007

Quote
Are plusnet staff security vetted before they are given a job?

No, but we do all sign a non-disclosure agreement as part of our contracts meaning that release of any information would lead to legal proceedings.

Report to Moderator · ‎17-12-2007

Seems like a storm in a teacup to me!
PN staff with the correct priveledges can see whatever details are stored by them anyway.
Your password is for just one purpose:
Identifying you to PlusNet
Nothing more or less.
When you connect to your ADSL it tells them who you are and who to record the useage against.
When you log into the portal it identifies you as the account holder.
When you call up, it performs the same task.
I don't see that there is a problem with them being able to see your password, other than that they *could* pretend to be you.
They all get free BB anyhow, and they can't see anything more by seeing your password than they would if they couldnt see your password, so what advantage would they gain by logging in as you?