The plain text of the password is required for the PPP CHAP authentication used when your router connects to Plusnet. So to improve security, you would need to have different passwords for the account and for the PPP authentication. Or alternatively, as some ISPs do, just have everyone use a common PPP username and password.

Storing a hash of your personal details, would, obviously, not be very useful. The info will be stored encrypted, but yes, staff can decrypt and view it.

Whilst we cannot for obvious reasons discuss the security measures that we employ. I can confirm that we do not store any passwords or payment details in plain text.

We go to great lengths to protect customer data and continually review processes to ensure all information is secure.

This we're prepared to say on the matter. I hope you understand.

Jono H  Plusnet Community Manager

Thanks for the responses. 

Thanks JonoH. While the passwords may not actually be stored in plaintext, they are certainly not stored 'securely'. Passwords should really be stored hashed and salted - in which case the encryption would not be reversable. Given it is reversible (as the service reps can see it) it would be relatively trivial for an attacker to reverse them should a data leak occur. 

In fact, a more likely scenario is misuse by staff. Despite auditing and logging access it would be next to impossible to catch someone on staff if they decided to try to use the my email address and password to log into other services (e.g. amazon, gmail, etc) once they get home. And a very substantial number of account holders will reuse their passwords across services. Of course this wouldn't have the impact of a bulk breach/leak.

Thanks ejs, I had actually noticed that the account password was also used for the PPP connection in the router which I hadn't seen at previous ISPs, where a generic password had been used in each case. I understand the rationale behind using the same password but I still can't condone the practice - the passwords could be different and then the account password won't need to be stored in such an easily accessible way.

I imagine though that the technology stack sitting behind the PM services is now so large and complex that changing the password mechanisms would be impractical.

Other than this I'm very happy with PN's service, especially on the technical support side. The customer reps I've spoken to have been very knowledgeable which is unusual for first line ISP support staff. I was recommending PN to friends but given I'm in the infosec community and most of my friends are too, I'm not sure I'm comfortable recommending any longer.

Edit: Left out a word which completely changed the meaning in the first sentence! Oops.

I just wanted to add that I left Plusnet because of this issue. Storing passwords with two way encryption is ultimately almost as bad as storing them in plain text, and audits would do nothing whatsoever to prevent an admin from memorising a password and using it later on other services.

Any grad level software developer would know to hash and salt passwords, and the fact that a major ISP is not doing this, and hasn't resolved this in over 5 years since it was first pointed out, is a HUGE problem. You're ISO 27001 certified. That means you've considered the implications of this terrible design decision and nevertheless made no attempt to fix it. To me, that's a serious failing in information security. I am sure as hell not trusting a company like that with my data.

Thanks.

Which ISP did you end up going with? 

Plusnet is excellent for everything else so I'm reluctant to leave unless I can find another ISP with similar service levels including knowledgeable tech support. I like being able to call up and (usually) talk to someone who actually knows what they are talking about and can help troubleshoot without talking to me as if I don't know anything.