Why does Plusnet store my account password in plain text?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Account/Billing
- :
- Why does Plusnet store my account password in plai...
Why does Plusnet store my account password in plain text?
28-08-2012 5:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
- in plain text
- in a form easily converted to plain text
How is it that an company as large as plusnet could use such horrible insecure practices? Any hacker or malicious employee could use my database record to get debit card details, and all accompanying personal information, with relative ease. Their defence was that plusnet has 'very good firewalls'.. colour me unimpressed. For one, any firewall can be broken, and secondly external attack is only one method that someone could get the data.
How about plusnet joins the rest of the civilised world and starts storing password hashes?
Re: Why does Plusnet store my account password in plain text?
28-08-2012 8:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This topic is one that gets raised and discussed from time to time, for example here. To quote from a reply in that thread:
Quote from: Matt The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password. There's a separate link on the account to view the password, which retrieves the hash from the database and decodes as it views. This isn't stored or cached anywhere when viewed so when the page is closed that's it, it needs loading (and decoding) again.
I hope that sets your mind more at ease,
Matt didn't say so in that reply but full password accesses are audited.
In an ideal world fault investigations would never be needed, users would never enter the wrong information or require help setting things up but Plusnet have to do the best they can in the real world.
David
Re: Why does Plusnet store my account password in plain text?
28-08-2012 10:14 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Sorry, but that isn't possible. Hashes are a one way encryption system, you cannot view them by any means. I suspect he means that the passwords are encrypted. However, if the database is compromised, any encryption on passwords is a minor, one off hurdle. Encrypted passwords are no better than plain text for all intents and purposes.
Quote from: spraxyt
Quote from: Matt The passwords are stored in the database in a hashed format, but are viewable by our support agents for a number of reasons, not least of which is in case a user forgets their password.
If users have forgotten their passwords, then they should have the ability to reset them. If telephone reps need to confirm people's identities, they can ask for any number of identifying details, or by posing a security question like most banks do. There is no reason for anyone other than me to know my password.
Re: Why does Plusnet store my account password in plain text?
29-08-2012 8:50 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Whilst in an ideal world we'd store these in a 1-way hash, to change our system (including authentication on the broadband side, email etc) is a very large piece of work. I'm not saying we won't do it or look into doing it but the size of the project to do so would touch nearly every system so wouldn't be a quick thing to change.
Re: Why does Plusnet store my account password in plain text?
29-08-2012 9:03 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Why does Plusnet store my account password in plain text?
29-08-2012 9:24 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: c0ld If users have forgotten their passwords, then they should have the ability to reset them.
I'm not sure how you see this happening given that if they have forgotten their password they will have no internet access (I suspect the most frequent is forgetting what they've recently changed it to).
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Re: Why does Plusnet store my account password in plain text?
29-08-2012 9:43 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Another reason PN may require the full password is when you have a broadband fault.
BT broadband engineers or remote testing facilities may need to log on as if it was you when using their diagnostic equipment to locate the problem.
Re: Why does Plusnet store my account password in plain text?
29-08-2012 9:54 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: jelv I'm not sure how you see this happening given that if they have forgotten their password they will have no internet access (I suspect the most frequent is forgetting what they've recently changed it to).
By picking up the phone? Common practice for many organisations, and common sense in the case of an ISP given the potential lack of connectivity as you say.
As Chris at least admits, it's not perfect and to make it better is considered too difficult. Perhaps if the database is ever compromised, and the incident makes the press as they always do, the term 'very large piece of work' will suddenly take on a whole new meaning.
Looking on the bright side, it could be worse - Tesco.com for example also store your password unhashed and, to make matters evern worse, if you forget it they send it to you by e-mail in plain text! One can only assume it's a very large piece of work to do it properly. The ICO are however currently investigating but presumably as they've okay'd Plusnet's implementation of non-use of salted hashes they'll only comment on the e-mail aspect?
Mathew
Re: Why does Plusnet store my account password in plain text?
29-08-2012 9:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote and to make it better is considered too difficult
Not sure where I've said that?
Re: Why does Plusnet store my account password in plain text?
29-08-2012 10:07 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Whilst in an ideal world we'd store these in a 1-way hash, to change our system (including authentication on the broadband side, email etc) is a very large piece of work. I'm not saying we won't do it or look into doing it but the size of the project to do so would touch early every system so wouldn't be a quick thing to change.
...and the fact that this issue has been known about since at least 2010.
If the delta between what you've got and what you desire has taken at least two years and still no change then surely that means it is too difficult?
Or perhaps I have misunderstood?
Mathew
Re: Why does Plusnet store my account password in plain text?
29-08-2012 10:17 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Re: Why does Plusnet store my account password in plain text?
29-08-2012 10:26 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Perhaps I shouldn't have paraphrased as we are now discussing something other than the pertinent issue i.e. that Plusnet store passwords in a reversible format and thus not in line with considered best practice.
Mathew
Re: Why does Plusnet store my account password in plain text?
29-08-2012 4:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Chris The passwords are encrypted and access to view them is logged and audited.
You must realise that is is merely your dbms that does the logging. and If your database were compromised, it would be irrelevant. It is the equivalent of relying on your Windows password to protect your data after your harddrive has been stolen.
Plusnet's attitude on this appears to be that since it would be too costly and difficult to change, they'll just carry on putting all of their customer's bank details at risk.
Re: Why does Plusnet store my account password in plain text?
29-08-2012 4:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Plusnet's attitude on this appears to be that since it would be too costly and difficult to change,
As above, that's not what I've said, I was simply advising that it's not a trivial thing to change and we need to consider a lot of different areas if we were to do this.
Re: Why does Plusnet store my account password in plain text?
29-08-2012 4:57 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: x47c
Another reason PN may require the full password is when you have a broadband fault.
BT broadband engineers or remote testing facilities may need to log on as if it was you when using their diagnostic equipment to locate the problem.
The password my router or for an engineer to connect to plusnet should not be the same as the password used to protect my bank and personal details. The only people that need access to those details should have account permissions issued to them so they can access it with their own password.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Account/Billing
- :
- Why does Plusnet store my account password in plai...