further to my post I am particularly concerned that Plusnet keep a copy of all account holders passwords online and ask for access to it confirm identity when you speak on the phone. This seems totally counterintuitive regarding security and it means that passwords are there to be hacked on Plusnet servers

Regards

As a new customer, are you aware of any instances where Plusnet have suffered any of the issues you mention?

Hi

No, as a new customer I was very surprised to find that Plusnet agents ask you to verify part of your password. This means that Plusnet hold password records of all their account holders. 

MFA is required by law in UK financial institutions.

The Information Commissioner’s Office (ICO) has warned that failure to implement MFA—especially for external access—could lead to fines if it results in a preventable data breach.

Furthermore the ICO considers MFA a “mature and expected” security control for protecting personal data.

Regards

I have been here since 2012 and have never known ACCOUNT passwords to have been compromised. I  don't know, obviously, how the requested elements of a password are presented to the agents, but  I doubt they are presented in full. Plusnet, or any organisation, must hold the passwords somewhere, or how else do they get verified when you log in?

Plusnet is not a financial institution - it is an Internet Services Provider.

Hi again,

2FA is also available via many online providers. MFA is increasing as it is more secure. I would suggest that doubters should look at National Cyber Security website , GCHQ and Information Commissioners Office for qualified advice . I was so surprised regarding the password issue with Plusnet that I investigated these expert sites myself and realised that breaches are becoming more of an issue and the costs are massive - both in loss of personal information, compromising of other website information and massive fines to companies who have created a preventable data breach. Personal Information loss seems to be the basis of some  Ransmoware attacks. 

Regards

Hi @dgf 

Great to hear you have joined us at Plusnet. 

We take security extremely seriously and take all steps necessary to ensure customers data and passwords are kept secure. Plusnet use several methods of encryption on all customer passwords. This uses complex algorithms to scramble and de-scramble your passwords.

You can find out more about the passwords at Username and password security guide | Help | Plusnet 

Learn how to stay safe online in 2025 and protect yourself from hackers, scams, and more with our helpful guide and expert tips. 

Ali 

"Hashing and encryption can keep sensitive data safe, but in almost all circumstances, passwords should be hashed, NOT encrypted.

Because hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value), it is the most appropriate approach for password validation. Even if an attacker obtains the hashed password, they cannot use it to log in as the victim.

Since encryption is a two-way function, attackers can retrieve the original plaintext from the encrypted data. It can be used to store data such as a user's address since this data is displayed in plaintext on the user's profile. Hashing their address would result in a garbled mess."

Advice from the Open Worldwide Application Security Project (OWASP).

So even using complex algorithims to scramble and de-scramble your passwords is not ideal.

@Niloc Note that the linked article is 'archived', so may not reflect current practice.

---

@Ali_A wrote:

Hi @dgf 

Great to hear you have joined us at Plusnet. 

We take security extremely seriously and take all steps necessary to ensure customers data and passwords are kept secure. Plusnet use several methods of encryption on all customer passwords. This uses complex algorithms to scramble and de-scramble your pasword

---

 @Niloc 

The ability for Customer services to see your partial password confirms that Plusnet are not using one way 

Hashing for account passwords. How this would pass any security audit in 2025 should certainly be raising concerns imho.

FWIW I was implementing systems with one way salted hashes for user passwords over 25years ago!

Forcing 2FA would preclude many users from accessing their services...

• Not everyone has a mobile phone
• Not everyone who does, has adequate coverage where they would need it

In context this is a technical capability looking for a problem ... which does not exist

Much of this security fear is nonsense.  If one fears the compromise of userID / password and thinks 2FA is the answer ... what happens when your credentials have been compromised AND your phone has been stolen (or cloned) ... what then 3FA?

Hi,

2FA does not require a mobile phone. It also has the option of emails! It is widely used for all online banking.

Multi Factor Authentication (MFA) which is the subject of this post is the most recent form of security, not 3FA.

Regards

All yours, @Townman  - my head hurts.

EDIT: Plusnet is an ISP,not a bank, @dgf