cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet stores my account password in the clear!

gregorian21
Newbie
Posts: 5
Registered: 22-08-2010

Plusnet stores my account password in the clear!

I couldn't recall the password to my Plusnet account, and so called customer service. I expected to be issued a new temporary password, which I would have changed on the subsequent login. But I was shocked to hear the agent repeat my original password.
Is it savvy for an organisation that deals with a significant amount of personally identifiable and financial information to be storing customer account passwords in the clear instead of being hashed? I am sure you have put in measures in place to protect those passwords, but all it takes is data breach or rogue staff member to out the passwords, which as I'm sure you know a lot of people use across multiple sites.
I would be quite interested to hear Plusnet's view on this...
7 REPLIES
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Plusnet stores my account password in the clear!

welcome to the forum
That is most unusual, the do ask for say the first and eighth letter, as indeed my bank do when you ask them a question
gregorian21
Newbie
Posts: 5
Registered: 22-08-2010

Re: Plusnet stores my account password in the clear!

Thanks Pierre,
The customer service agent did start off with asking a question like the one you mentioned, but as I told her that I could not recall my password, she verified other account information (which was prudent). But then started to spell out my full password, which was unexpected. Besides, I can't think of a cryptographic scheme that would allow for password verification by just knowing two letters and their position in a password, unless you had the entire password in the clear for comparison, which in my opinion, is poor security practice.
Plusnet Alumni (retired) orbrey
Plusnet Alumni (retired)
Posts: 10,540
Registered: 18-07-2007

Re: Plusnet stores my account password in the clear!

The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password. There's a separate link on the account to view the password, which retrieves the hash from the database and decodes as it views. This isn't stored or cached anywhere when viewed so when the page is closed that's it, it needs loading (and decoding) again.
I hope that sets your mind more at ease,
Lurker
Grafter
Posts: 1,867
Registered: 23-10-2008

Re: Plusnet stores my account password in the clear!

You should've added the auditable records too!
gregorian21
Newbie
Posts: 5
Registered: 22-08-2010

Re: Plusnet stores my account password in the clear!

Thank you for the reply Matt,
I guess you mean the passwords are stored in an 'encrypted' format in the database (as opposed to 'hashed') as a hashed value cannot be de-hashed to retrieve the original value (http://en.wikipedia.org/wiki/Cryptographic_hash_function). I am a bit perplexed as to why an encrypted password needs to be stored in the first place, when the security practice since the days of UNIX mainframes has been to store a salted hash (http://en.wikipedia.org/wiki/Salted_hash)  which is then compared to a hash of the password entered by the user on login.
What are some of the "number of reasons" to view a customer's password by your support agents? If a user forgets a password, wouldn't issuing the user with a short temporary password (usually valid for a certain time period), which the user then changes upon subsequent login be safer?
I am happy to hear that the passwords are not stored in clear text in your database, but it still doesn't set my mind at ease that it can be retrieved, albeit by someone who is authorised to do so. I don't mean to lecture, but this is a bad security practice.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Plusnet stores my account password in the clear!

Every access to the passwords is recorded.
Also, there may be situations where the password is required,  (eg a dial-test or to access various functions 'as the user'  for diagnostics purposes).  In this case, setting up a new password just for PN to perform troubleshooting would mean the next time the user tried to connect, they would be unable to (as the password had changed) leading to further CSC calls.
B.
gregorian21
Newbie
Posts: 5
Registered: 22-08-2010

Re: Plusnet stores my account password in the clear!

Thanks Barry,
I appreciate Plusnet's willingness to discuss such matters openly. I can only imagine how solid practices are at organisations that aren't so forthcoming. I am happy to hear that there are at least some measures in place to prevent unauthorised use of the information.
I still believe that there are ways to architect a system to prevent anyone other than the specific user from having knowledge of a password. But hey, we don't have to agree on everything. I appreciate the open discourse.