cancel
Showing results for 
Search instead for 
Did you mean: 

Password security

rmcg
Hooked
Posts: 8
Thanks: 4
Registered: 02-03-2017

Password security

I know this has been discussed to death around here as any search will show you but I can't find any conclusive responses as to why PN are still storing passwords in plaintext, or whether there is any plan to change this?

Does anyone know?

Or does anyone know if ALL our info is stored unencrypted?

I just had a call from PN to ask how I was enjoying the service so far and as part of the call they required me to confirm two characters from my password.

I was very surprised that the service rep had access to view my password and asked why this was the case. I told her that I would have expected passwords to be stored in a hashed and salted manner, and therefore there should be no way for her to confirm any password characters. She said that all PN reps could see the plain text passwords Sad

I suggested that this was pretty insecure and mentioned a couple of the well known telecoms data leaks. But it's okay she said... "we all have to log in with our own usernames and passwords before we can see yours, therefore it is very secure".

Really not feeling too confident in PN's security model. Are my bank account, personal details and credit card details also stored in plain text for any reps to view, and to be sucked up through a potential data leakage eventHuh?

I know this is a community forum but I also know that PN reps have a look now and again. Perhaps someone from PN could chime in and let us know what the thinking behind storing plain text passwords is?

5 REPLIES
Community Veteran
Posts: 5,169
Thanks: 478
Fixes: 20
Registered: 10-06-2010

Re: Password security

The plain text of the password is required for the PPP CHAP authentication used when your router connects to Plusnet. So to improve security, you would need to have different passwords for the account and for the PPP authentication. Or alternatively, as some ISPs do, just have everyone use a common PPP username and password.

Storing a hash of your personal details, would, obviously, not be very useful. The info will be stored encrypted, but yes, staff can decrypt and view it.

Community Gaffer
Community Gaffer
Posts: 2,057
Thanks: 3,440
Fixes: 63
Registered: 29-09-2011

Re: Password security

Whilst we cannot for obvious reasons discuss the security measures that we employ. I can confirm that we do not store any passwords or payment details in plain text.

We go to great lengths to protect customer data and continually review processes to ensure all information is secure.

 

This we're prepared to say on the matter. I hope you understand.

 

 Jono H
 Plusnet Community Manager
rmcg
Hooked
Posts: 8
Thanks: 4
Registered: 02-03-2017

Re: Password security

Thanks for the responses. 

Thanks JonoH. While the passwords may not actually be stored in plaintext, they are certainly not stored 'securely'. Passwords should really be stored hashed and salted - in which case the encryption would not be reversable. Given it is reversible (as the service reps can see it) it would be relatively trivial for an attacker to reverse them should a data leak occur. 

In fact, a more likely scenario is misuse by staff. Despite auditing and logging access it would be next to impossible to catch someone on staff if they decided to try to use the my email address and password to log into other services (e.g. amazon, gmail, etc) once they get home. And a very substantial number of account holders will reuse their passwords across services. Of course this wouldn't have the impact of a bulk breach/leak.

Thanks ejs, I had actually noticed that the account password was also used for the PPP connection in the router which I hadn't seen at previous ISPs, where a generic password had been used in each case. I understand the rationale behind using the same password but I still can't condone the practice - the passwords could be different and then the account password won't need to be stored in such an easily accessible way.

I imagine though that the technology stack sitting behind the PM services is now so large and complex that changing the password mechanisms would be impractical.

Other than this I'm very happy with PN's service, especially on the technical support side. The customer reps I've spoken to have been very knowledgeable which is unusual for first line ISP support staff. I was recommending PN to friends but given I'm in the infosec community and most of my friends are too, I'm not sure I'm comfortable recommending any longer.

 

Edit: Left out a word which completely changed the meaning in the first sentence! Oops.

bhysha
Newbie
Posts: 1
Thanks: 3
Registered: 16-03-2017

Re: Password security

I just wanted to add that I left Plusnet because of this issue. Storing passwords with two way encryption is ultimately almost as bad as storing them in plain text, and audits would do nothing whatsoever to prevent an admin from memorising a password and using it later on other services.

 

Any grad level software developer would know to hash and salt passwords, and the fact that a major ISP is not doing this, and hasn't resolved this in over 5 years since it was first pointed out, is a HUGE problem. You're ISO 27001 certified. That means you've considered the implications of this terrible design decision and nevertheless made no attempt to fix it. To me, that's a serious failing in information security. I am sure as hell not trusting a company like that with my data.

rmcg
Hooked
Posts: 8
Thanks: 4
Registered: 02-03-2017

Re: Password security

Thanks.

Which ISP did you end up going with? 

 

Plusnet is excellent for everything else so I'm reluctant to leave unless I can find another ISP with similar service levels including knowledgeable tech support. I like being able to call up and (usually) talk to someone who actually knows what they are talking about and can help troubleshoot without talking to me as if I don't know anything.