I just contacted support about a house move and the support call handler requested two letters from my password as a security confirmation. Absolutely nobody at Plusnet should be able to see any characters from my password, because it should be stored as a salted one-way cryptographic hash. Here's how the conversation went. OP: It's just a security question ME: But you shouldn't know my password. OP: It's only for your account security. ME: but many people use the same passwords for different things. OP: but how would I know that? ME: You don't need to know it you can just try it OP: How would I try it? ME: You have my e-mail address, my name, my phone number, my actual address, a user name and my bank account details. OP: yes but we can't use that. Everything we do here is monitored. ME: but you could store that information in, say your brain and try it out later? OP: er..well yes ME: Is there anything else you can use as a security question? and apparently there was... So I did some searching online and found a worrying article from The Register http://www.theregister.co.uk/2015/11/25/plusnet_still_delivering_passwords_plaintext/ and several blog posts including some unsatisfactory responses from plusnet. I am thinking of making a complaint to the ICO regarding improper storage of personal information, but as part of that process you need to try and contact the organisation concerned. This left me going around the support site in circles, there now seems to be no way to submit a support ticket? I don't want to hang about on the phone, but if I did there is no way that conversation would get me to the right person to ask about the technicalities of secure database storage. So several things.... 1) Never use your plusnet password for anything else (this is good practice anyway) 2) Don't give them letters from your password - they have other questions they can ask 3) How do I submit a support ticket these days? Jan BSc (hons) Soft. Eng.