Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Plusnet stores my account password in the clear!
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Account/Billing
- :
- Re: Plusnet stores my account password in the clea...
Plusnet stores my account password in the clear!
22-08-2010 9:42 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I couldn't recall the password to my Plusnet account, and so called customer service. I expected to be issued a new temporary password, which I would have changed on the subsequent login. But I was shocked to hear the agent repeat my original password.
Is it savvy for an organisation that deals with a significant amount of personally identifiable and financial information to be storing customer account passwords in the clear instead of being hashed? I am sure you have put in measures in place to protect those passwords, but all it takes is data breach or rogue staff member to out the passwords, which as I'm sure you know a lot of people use across multiple sites.
I would be quite interested to hear Plusnet's view on this...
Is it savvy for an organisation that deals with a significant amount of personally identifiable and financial information to be storing customer account passwords in the clear instead of being hashed? I am sure you have put in measures in place to protect those passwords, but all it takes is data breach or rogue staff member to out the passwords, which as I'm sure you know a lot of people use across multiple sites.
I would be quite interested to hear Plusnet's view on this...
Message 1 of 8
(2,453 Views)
7 REPLIES 7
Re: Plusnet stores my account password in the clear!
22-08-2010 9:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
welcome to the forum
That is most unusual, the do ask for say the first and eighth letter, as indeed my bank do when you ask them a question
That is most unusual, the do ask for say the first and eighth letter, as indeed my bank do when you ask them a question
Message 2 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
22-08-2010 10:38 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks Pierre,
The customer service agent did start off with asking a question like the one you mentioned, but as I told her that I could not recall my password, she verified other account information (which was prudent). But then started to spell out my full password, which was unexpected. Besides, I can't think of a cryptographic scheme that would allow for password verification by just knowing two letters and their position in a password, unless you had the entire password in the clear for comparison, which in my opinion, is poor security practice.
The customer service agent did start off with asking a question like the one you mentioned, but as I told her that I could not recall my password, she verified other account information (which was prudent). But then started to spell out my full password, which was unexpected. Besides, I can't think of a cryptographic scheme that would allow for password verification by just knowing two letters and their position in a password, unless you had the entire password in the clear for comparison, which in my opinion, is poor security practice.
Message 3 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
23-08-2010 10:59 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password. There's a separate link on the account to view the password, which retrieves the hash from the database and decodes as it views. This isn't stored or cached anywhere when viewed so when the page is closed that's it, it needs loading (and decoding) again.
I hope that sets your mind more at ease,
I hope that sets your mind more at ease,
Message 4 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
23-08-2010 11:07 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You should've added the auditable records too!
Message 5 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
23-08-2010 11:28 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thank you for the reply Matt,
I guess you mean the passwords are stored in an 'encrypted' format in the database (as opposed to 'hashed') as a hashed value cannot be de-hashed to retrieve the original value (http://en.wikipedia.org/wiki/Cryptographic_hash_function). I am a bit perplexed as to why an encrypted password needs to be stored in the first place, when the security practice since the days of UNIX mainframes has been to store a salted hash (http://en.wikipedia.org/wiki/Salted_hash) which is then compared to a hash of the password entered by the user on login.
What are some of the "number of reasons" to view a customer's password by your support agents? If a user forgets a password, wouldn't issuing the user with a short temporary password (usually valid for a certain time period), which the user then changes upon subsequent login be safer?
I am happy to hear that the passwords are not stored in clear text in your database, but it still doesn't set my mind at ease that it can be retrieved, albeit by someone who is authorised to do so. I don't mean to lecture, but this is a bad security practice.
I guess you mean the passwords are stored in an 'encrypted' format in the database (as opposed to 'hashed') as a hashed value cannot be de-hashed to retrieve the original value (http://en.wikipedia.org/wiki/Cryptographic_hash_function). I am a bit perplexed as to why an encrypted password needs to be stored in the first place, when the security practice since the days of UNIX mainframes has been to store a salted hash (http://en.wikipedia.org/wiki/Salted_hash) which is then compared to a hash of the password entered by the user on login.
What are some of the "number of reasons" to view a customer's password by your support agents? If a user forgets a password, wouldn't issuing the user with a short temporary password (usually valid for a certain time period), which the user then changes upon subsequent login be safer?
I am happy to hear that the passwords are not stored in clear text in your database, but it still doesn't set my mind at ease that it can be retrieved, albeit by someone who is authorised to do so. I don't mean to lecture, but this is a bad security practice.
Message 6 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
23-08-2010 11:38 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Every access to the passwords is recorded.
Also, there may be situations where the password is required, (eg a dial-test or to access various functions 'as the user' for diagnostics purposes). In this case, setting up a new password just for PN to perform troubleshooting would mean the next time the user tried to connect, they would be unable to (as the password had changed) leading to further CSC calls.
B.
Also, there may be situations where the password is required, (eg a dial-test or to access various functions 'as the user' for diagnostics purposes). In this case, setting up a new password just for PN to perform troubleshooting would mean the next time the user tried to connect, they would be unable to (as the password had changed) leading to further CSC calls.
B.
Message 7 of 8
(968 Views)
Re: Plusnet stores my account password in the clear!
23-08-2010 11:56 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks Barry,
I appreciate Plusnet's willingness to discuss such matters openly. I can only imagine how solid practices are at organisations that aren't so forthcoming. I am happy to hear that there are at least some measures in place to prevent unauthorised use of the information.
I still believe that there are ways to architect a system to prevent anyone other than the specific user from having knowledge of a password. But hey, we don't have to agree on everything. I appreciate the open discourse.
I appreciate Plusnet's willingness to discuss such matters openly. I can only imagine how solid practices are at organisations that aren't so forthcoming. I am happy to hear that there are at least some measures in place to prevent unauthorised use of the information.
I still believe that there are ways to architect a system to prevent anyone other than the specific user from having knowledge of a password. But hey, we don't have to agree on everything. I appreciate the open discourse.
Message 8 of 8
(968 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Account/Billing
- :
- Re: Plusnet stores my account password in the clea...