cancel
Showing results for 
Search instead for 
Did you mean: 

Use of Strong passwords on PlusNet

N/A

Use of Strong passwords on PlusNet

{Edited ...}
Something happened to the poll associated with this thread Evil so I've created one here.
{end edit}

I've lodged a ticket (20481757) on this subject, which was prompted by a discussion about SPAM email ( here if you're interested).

The crux of the matter is: Since most of our Login IDs can be readily determined from our email addresses or by doing a DNS lookup on our IP addresses, the only thing stopping someone hacking into our accounts is how good the password is.

I make the following observations:

1) The account password currently only needs to be 5 characters long - I'd suggest that 8 characters should be the bare minimum, 12 being preferable.

2) When I originally created my account, I seem to recall that I wanted to use a 10-character password, but was limited to 8 characters. I don't know if this still the case, or if you can change to a longer password once your account is up and running.

3) The account password is restricted to lower case plus numerals, ie 36 symbols. I believe that strong passwords are only possible if upper case is also allowed (ie 62 symbols), and preferably also some of the "special" characters (_, +, $, #, <)

4) POP mailbox passwords also seem to be limited to a maximum of 8 characters.

5) There is no encouragement to change passwords on a regular basis.

I realise that PN need to make things easy for less technically minded users, and complex passwords will inevitably lead more password reset requests to CSC, but it is also inevitable that if someone's account is hacked because they used a weak password then PN will be blamed "because they allowed it to happen".

So what do the users feel about PlusNet password policies?
23 REPLIES
N/A

Use of Strong passwords on PlusNet

I agree to this, letters and numbers make a strong password if anything an increase to 12 characters would be good.

"special" characters would only create more problems and force people to make basic passwords in concern of forgetting or typing it in wrong all the time.
channel
Grafter
Posts: 697
Registered: 03-09-2007

Use of Strong passwords on PlusNet

There have been a number of campaigns about this in the past, but none of them have been met by a positive response from plus net. I seem to remember that Mark (pscni) was among the more vocal members of the last campaign. Maybe he is now in a position to champion this from the other side of the fence and, at last, get some results.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Use of Strong passwords on PlusNet

As stated above, this is a very old subject that crops up frequently. The difficulties in doing such a change relate to the number of different systems that have to be changed to cater for better passwords.

So far PN have deemed this uneconomic to do when asked previously so don't hold your breath for a positive answer.

Edited to add I do agree the password system that PN use is well short of being acceptable today and should be improved.
N/A

Use of Strong passwords on PlusNet

A strong password is one that needs to be written down in order to remember it, isn't it? :roll:
N/A

Use of Strong passwords on PlusNet

Not necessarily. Yes, the strongest passwords are an essentially random set of characters, but you can put a bit of "structure" in without weakening them excessively.

I work in an environment where strong passwords are enforced rigorously (including special characters), must be changed at least every two months, no dictionary words, and you can't re-use an old password for two years. The are over 1500 user's and I've never heard of anyone having to write down a password, although our help desk does have to handle a few password reset calls every week.

I recognise the potential problems. I'm not advocating that strong passwords are enforced, just that they're made possible for those who feel they need them.

I use 14+ character strong passwords for any on-line banking accounts, eBay, PayPal, etc. and even just logging on to my home PC needs a 10 character password.

"I'm not paranoid. They really are out to get me Wink " Seriously, the internet is full of dodgy characters (my wife's eBay account has been hacked twice in the last year) and an 8-symbol password doesn't cut the mustard today.

The current PN password limits allow ~2.8 billion passwords: Including upper case would lift this to over 20 million million and an increase to 12 characters gives something like 3 thousand million million million.
N/A

Use of Strong passwords on PlusNet

Final update on the ticket (I say final, 'coz it doesn't look like it's going any further):

Quote
If you have raised this in the forums then should our comms team see an overwhealming responce and request for action on the topic they will raise the issue with the relevant teams in order to discuss any possible change.


So unless users make a lot of noise here, we'll be stuck with (in my opinion) a naff password system :? .
Quester
Grafter
Posts: 40
Registered: 06-04-2007

Use of Strong passwords on PlusNet

Well you can add my decibels to you're noise level Wink
I would also like to see something done about this, because the current password system isn't secure enough in my mind.
It only takes a few extra characters to increase your password strength significantly.
N/A

Use of Strong passwords on PlusNet

It is worse than you think, the login pages are not even secure, so your password is sent in plain text.

I don't see what the problem is, you write a module that is called to verify the password by various systems.

The module can encrypted the password so that the password is not stored in plain text.

By the way you would be suprised how far cracking programs Like John the Ripper have come. They have dictionaries and can use meta characters as well.

Password length is very important but most importantly you need to lockout the system in the event of failed attempts, does it even do that?

Another loophole is the fact that you have the same name for portal and mail unless you create mailboxes which can have their own.

If you make security too tight people will write it down but most of the access to these facilities are using stored passwords in the mail client or in Explorer/firefox, so once set, it should not be a problem.

In my work, on one system we have the least technical users you can imagine, we force them to use at least one capital letter, 12 characters and one meta character. Our helpdesk deals with calls daily for resets but they get used to it.

It is not that hard to make up password that can be secure but delay a hacker enough to make them look for easier prey.

I teach users to use two words that are completely unrelated like fusion and yogurt and to combine these with capitals and meta characters e.g. Fusion#yogurt54Z. Adding humour can help make it memorable like Silly*Blair06Q.

Thus far it seems that Plusnet are saying that this has been raised, discussed and rejected before.

So don't expect anything to be done - as usual.
N/A

Use of Strong passwords on PlusNet

Why do you need strong passwords?

What is the actual security risk that you are concerned about?
N/A

Use of Strong passwords on PlusNet

Let's see now...Hmmmm

Email (Confidential)
Control of my account
Downloading (I am on PAYG)
Ability to upgrade my service and cost me money
Publishing of webpages (e.g. for Terrorist or other illegal activities.
etc etc

I could go on but I think you know and are being obtuse.
N/A

Use of Strong passwords on PlusNet

From you list the only one that's valid is the control of your account. And this can be limited by PN by only allowing changes from PN issued IP addresses.

The others are not valid.
Emails should not be used for confidential material and this has been stated on other threads. Also the username and passwords can be different from the account.

Downloading BB PAYG, you can only log to BB from your own telephone number. Therefore no hacking from another place can happen and affect you useage.

Publishing websites, if hacked and illegal material is displayed then PN has a legal duty to stop this.
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Use of Strong passwords on PlusNet

PlusNet should support and encourage the use of strong passwords, and use login systems that are designed to prevent dictionary and brute force attacks.

But I would stop short of saying that they should force strong password, and the users to change them regularly.

Personally I think all of ibc01 examples are valid. I accept that e-mail should not be used for confidential information, or at least without encryption. But with weak passwords it would be easy to perform a denial of service attack on an e-mail account, and delete all stored e-mail.

Chilly
N/A

Use of Strong passwords on PlusNet

Quote
It is worse than you think, the login pages are not even secure, so your password is sent in plain text.

I don't see what the problem is, you write a module that is called to verify the password by various systems.


I hadn't twigged that the portal login was on plain http: page - I don't think this was always the case :?: I seem to remember you had navigate to a login page at one time?

I'm with @ibc01 on the "common login" module - or is PlusNet claiming that they can't do this easily because they've got badly structured code that is difficult to support and modify?

Quote
From you list the only one that's valid is the control of your account. And this can be limited by PN by only allowing changes from PN issued IP addresses.
...
Downloading BB PAYG, you can only log to BB from your own telephone number. Therefore no hacking from another place can happen and affect you useage.


...and FTP or telnet access to your webspace, the backup 56k dial-up account...

I had a website systematically destroyed by hacker who got into the hosting service (not on PlusNet) through a weak security system such as PlusNet still have. Several other users were attacked that same night. In that case the hosting company very rapidly reviewed their systems and a new, more robust system was in place within days.

As for only allowing account changes from PN IPs, I'd suggest that'd actually be more difficult than just allowing more secure passwords. I haven't thought through the coding issues, but I'm guessing that it would mean separating the account management part of the portal and applying secondary security checks. Besides, if you (or rather someone else) logs in to your account via the dial-up account (which uses the same login ID and password) then your perceived extra security falls flat it's face, since the fraudulent user will have a valid PN IP.

I agree that sensitive email is best not held on the PN servers, but even email address could be considered "sensitive". I have a website that has interactive content, and can store email addresses volunteered by visitors so that the website can notify them of changes, etc. I consider that I have a "duty of care" to look after those email addresses, and if all that is standing between them and a hacker is a weak password, then I don't think it's good enough. PN should have a similiar duty of care to their subscribers, who after all are keeping them in business.

Quote
But I would stop short of saying that they should force strong password, and the users to change them regularly.


So would I. I'd just like strong passwords to be possible, and maybe a "health warning" on the account admin pages to suggest that regular password changes might be a good thing.

{Edited to add...} eBay has a natty feature these days when you create a password: As you type it in, a little bar appears, the length of which indicates the strength of your password. I've played around with it and it obviously does things like dictionary checks, etc., but the main point is that's it's really useful having something that shows you if you've got a weak password.

Ian.
N/A

Use of Strong passwords on PlusNet

Quote
Let's see now...Hmmmm

Email (Confidential)
Control of my account
Downloading (I am on PAYG)
Ability to upgrade my service and cost me money
Publishing of webpages (e.g. for Terrorist or other illegal activities.
etc etc

I could go on but I think you know and are being obtuse.


I'd hate to get into the argument of 'dubious' content being sent using your cracked account, no email is not secure, but having your account misused can still damage your reputation/credibility and and an email account is something you should protect. The current situation is stupidly easy to crack, we have already given away one half of the security by our username matching our domain, and forum username. I don;t understand what systems plus have that wouldn't cope with longer passwords, if its just internal scripts and programs they have written without security in mind then theres no excuse.