cancel
Showing results for 
Search instead for 
Did you mean: 

Why does Plusnet store my account password in plain text?

c0ld
Dabbler
Posts: 12
Registered: 28-08-2012

Why does Plusnet store my account password in plain text?

After a discussion with some of your telephone reps, it turned out that they have full access to my account password in plain text. That means that either your database stores my password

  • in plain text

  • in a form easily converted to plain text


How is it that an company as large as plusnet could use such horrible insecure practices? Any hacker or malicious employee could use my database record to get debit card details, and all accompanying personal information, with relative ease. Their defence was that plusnet has 'very good firewalls'.. colour me unimpressed. For one, any firewall can be broken, and secondly external attack is only one method that someone could get the data.
How about plusnet joins the rest of the civilised world and starts storing password hashes?
23 REPLIES
Superuser
Superuser
Posts: 9,773
Thanks: 1,151
Fixes: 63
Registered: 06-04-2007

Re: Why does Plusnet store my account password in plain text?

Welcome to the forums.
This topic is one that gets raised and discussed from time to time, for example here. To quote from a reply in that thread:
Quote from: Matt
The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password. There's a separate link on the account to view the password, which retrieves the hash from the database and decodes as it views. This isn't stored or cached anywhere when viewed so when the page is closed that's it, it needs loading (and decoding) again.
I hope that sets your mind more at ease,

Matt didn't say so in that reply but full password accesses are audited.
In an ideal world fault investigations would never be needed, users would never enter the wrong information or require help setting things up but Plusnet have to do the best they can in the real world.
David
David
c0ld
Dabbler
Posts: 12
Registered: 28-08-2012

Re: Why does Plusnet store my account password in plain text?

Quote from: spraxyt

Quote from: Matt
The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password.

Sorry, but that isn't possible. Hashes are a one way encryption system, you cannot view them by any means. I suspect he means that the passwords are encrypted. However, if the database is compromised, any encryption on passwords is a minor, one off hurdle. Encrypted passwords are no better than plain text for all intents and purposes.
If users have forgotten their passwords, then they should have the ability to reset them. If telephone reps need to confirm people's identities, they can ask for any number of identifying details, or by posing a security question like most banks do. There is no reason for anyone other than me to know my password.
Community Gaffer
Community Gaffer
Posts: 17,665
Thanks: 658
Fixes: 162
Registered: 05-04-2007

Re: Why does Plusnet store my account password in plain text?

We see this topic crop up from time to time, and it is something we have discussed internally. The passwords are encrypted and access to view them is logged and audited.
Whilst in an ideal world we'd store these in a 1-way hash, to change our system (including authentication on the broadband side, email etc) is a very large piece of work. I'm not saying we won't do it or look into doing it but the size of the project to do so would touch nearly every system so wouldn't be a quick thing to change.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
James
Grafter
Posts: 21,036
Registered: 04-04-2007

Re: Why does Plusnet store my account password in plain text?

Just to add on to what Chris has said - We have previously checked this with the ICO who are comfortable with our practices.
Community Veteran
Posts: 26,718
Thanks: 931
Fixes: 10
Registered: 10-04-2007

Re: Why does Plusnet store my account password in plain text?

Quote from: c0ld
If users have forgotten their passwords, then they should have the ability to reset them.

I'm not sure how you see this happening given that if they have forgotten their password they will have no internet access (I suspect the most frequent is forgetting what they've recently changed it to).
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
x47c
Grafter
Posts: 878
Thanks: 1
Registered: 14-08-2009

Re: Why does Plusnet store my account password in plain text?


Another reason PN may require the full password is when you have a broadband fault.
BT broadband engineers or remote testing facilities may need to log on as if it was you when using their diagnostic equipment to locate the problem.
MJN
Aspiring Pro
Posts: 1,103
Thanks: 54
Fixes: 2
Registered: 26-08-2010

Re: Why does Plusnet store my account password in plain text?

Quote from: jelv
I'm not sure how you see this happening given that if they have forgotten their password they will have no internet access (I suspect the most frequent is forgetting what they've recently changed it to).

By picking up the phone? Common practice for many organisations, and common sense in the case of an ISP given the potential lack of connectivity as you say.
As Chris at least admits, it's not perfect and to make it better is considered too difficult. Perhaps if the database is ever compromised, and the incident makes the press as they always do, the term 'very large piece of work' will suddenly take on a whole new meaning.
Looking on the bright side, it could be worse - Tesco.com for example also store your password unhashed and, to make matters evern worse, if you forget it they send it to you by e-mail in plain text! One can only assume it's a very large piece of work to do it properly. The ICO are however currently investigating but presumably as they've okay'd Plusnet's implementation of non-use of salted hashes they'll only comment on the e-mail aspect?
Mathew
Community Gaffer
Community Gaffer
Posts: 17,665
Thanks: 658
Fixes: 162
Registered: 05-04-2007

Re: Why does Plusnet store my account password in plain text?

Quote
and to make it better is considered too difficult

Not sure where I've said that?
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
MJN
Aspiring Pro
Posts: 1,103
Thanks: 54
Fixes: 2
Registered: 26-08-2010

Re: Why does Plusnet store my account password in plain text?

It was from this:
Quote
Whilst in an ideal world we'd store these in a 1-way hash, to change our system (including authentication on the broadband side, email etc) is a very large piece of work.  I'm not saying we won't do it or look into doing it but the size of the project to do so would touch early every system so wouldn't be a quick thing to change.

...and the fact that this issue has been known about since at least 2010.
If the delta between what you've got and what you desire has taken at least two years and still no change then surely that means it is too difficult?
Or perhaps I have misunderstood?
Mathew
Community Veteran
Posts: 26,718
Thanks: 931
Fixes: 10
Registered: 10-04-2007

Re: Why does Plusnet store my account password in plain text?

Can't you see that there is a difference between difficult (i.e. technically challenging) and fairly straight forward but requiring a lot of effort across many systems such that the task will take more effort than the resources available?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
MJN
Aspiring Pro
Posts: 1,103
Thanks: 54
Fixes: 2
Registered: 26-08-2010

Re: Why does Plusnet store my account password in plain text?

My definition of 'difficult' in the context of changes to IT systems goes far beyond technical challenges. The true difficulties tend to lie in areas such as justifying the business case, securing funding, managing change, resources etc.
Perhaps I shouldn't have paraphrased as we are now discussing something other than the pertinent issue i.e. that Plusnet store passwords in a reversible format and thus not in line with considered best practice.
Mathew
c0ld
Dabbler
Posts: 12
Registered: 28-08-2012

Re: Why does Plusnet store my account password in plain text?

Quote from: Chris
The passwords are encrypted and access to view them is logged and audited.

You must realise that is is merely your dbms that does the logging. and If your database were compromised, it would be irrelevant. It is the equivalent of relying on your Windows password to protect your data after your harddrive has been stolen.
Plusnet's attitude on this appears to be that since it would be too costly and difficult to change, they'll just carry on putting all of their customer's bank details at risk.
Community Gaffer
Community Gaffer
Posts: 17,665
Thanks: 658
Fixes: 162
Registered: 05-04-2007

Re: Why does Plusnet store my account password in plain text?

I'm not sure where bank details come into this? They are *not* stored in the same way as authentication details and when logging in to our website you can't see full details of them (neither can we here).
Quote
Plusnet's attitude on this appears to be that since it would be too costly and difficult to change,

As above, that's not what I've said, I was simply advising that it's not a trivial thing to change and we need to consider a lot of different areas if we were to do this.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
c0ld
Dabbler
Posts: 12
Registered: 28-08-2012

Re: Why does Plusnet store my account password in plain text?

Quote from: x47c

Another reason PN may require the full password is when you have a broadband fault.
BT broadband engineers or remote testing facilities may need to log on as if it was you when using their diagnostic equipment to locate the problem.

The password my router or for an engineer to connect to plusnet should not be the same as the password used to protect my bank and personal details. The only people that need access to those details should have account permissions issued to them so they can access it with their own password.