I have just signed up to plusnet
I got an letter today giving my account details.
What worries me is that part of my password is printed in the letter, passwords should not be retrievable, they should be encoded and salted and used to compare, Not decoded and part printed in letters, after TalkTalks hack this gives me great concern.
Also printed as 'Password Hint', I was never asked for one, nor is there a place to insert one in the control panel, but again instead of the password hint bring printed, part of the actual password is.
Thankfully I use a password generator to create my passwords so this password will not be used anywhere else, but I don't expect to see it decoded and printed in a letter!
This is bad practice Plusnet, stop it now!
Re: Security issue
Re: Security issue
I just logged in to post exactly the same thing. I had a call from PN to ask how I was enjoying the service so far and as part of the call they required me to confirm two characters from my password.
I was very surprised that the service rep had access to view my password and asked why this was the case. I told her that I would have expected passwords to be stored in a hashed and salted manner, and therefore there should be no way for her to confirm any password characters. She said that all PN reps could see the plain text passwords
I suggested that this was pretty insecure and mentioned a couple of the well known telecoms data leaks. But it's okay she said... "we all have to log in with our own usernames and passwords before we can see yours, therefore it is very secure".
Really not feeling too confident in PN's security model. Are my bank account, personal details and credit card details also stored in plain text for any reps to view, and to be sucked up through a potential data leakage event?
I know this is a community forum but I also know that PN reps have a look now and again. Perhaps someone from PN could chime in and let us know what the thinking behind storing plain text passwords is?