cancel
Showing results for 
Search instead for 
Did you mean: 

Order Processing.

leonaplusnet
Newbie
Posts: 7
Registered: ‎11-01-2016

Order Processing.

Not sure where I can post this, but I have noticed an error on the order tracing page,
On the Broadband part is states
Quote
Your order is due to complete
The engineer appointment to install your broadband service is booked for %appointmentDate% between %appointmentStartTime% and %appointmentFinishTime%.

So a  little quality control would be of use here.
I'm also concerned about parts of passwords being printed in letters, see my other post, does this mean PlusNet are storing plain text passwords, (ie not encrypted)
5 REPLIES 5
HarryB
Plusnet Help Team
Plusnet Help Team
Posts: 5,199
Thanks: 1,454
Fixes: 256
Registered: ‎25-03-2015

Re: Order Processing.

This is the right place for this post.
Thanks for the feedback, I'll get that flagged up tomorrow when I'm back in work.
In regards to the passwords, no we do not store these as plain text.
If this post resolved your issue please click the 'This fixed my problem' button
 Harry Beesley
 Plusnet
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Order Processing.

But the passwords are stored so that the plain text of the password can be retrieved. This issue must have been raised numerous times over the years. Changing it would require having one password for the member centre, and another password for the PPP authentication the router does when it connects to Plusnet. The password for the PPP auth would need to be retrievable.
leonaplusnet
Newbie
Posts: 7
Registered: ‎11-01-2016

Re: Order Processing.

Thank you HarryB, look forward to the results of your investigation.
Indeed EJS, the password for our online account should NOT be the same as for our Broadband access, as this password can be 'sniffed' or otherwise recovered and then used to log into our on-line accounts, this is surly a very high security risk, with the attach on TalkTalk very recently, (my previous supplier, thankfully my data wasn't stolen) my anxiety level is Very high, I am a software developer with experience in the area of security and I can see that there is a security hole here that needs to be closed before another school kid decides to take advantage of it
While you might not store them as plain text, they are being decrypted, this shouldn't be possible, they should be hashed and salted, then a comparison performed to compare patterns, they should not be retrievable and most certainly not printed in letters!
Our online account have our bank, home and personal details, this would allow anyone who comprised your system to use this data illegally, I surely don't have to highlight how much damaging this would be, maybe over reacting but, as I said I've been bitten before by poorly secured systems, I don't want to be a victim of another, I need reassurance, backed up with evidence that your systems are secure, ie, do you run penetration tests, security checks, monitoring, etc?
Townman
Superuser
Superuser
Posts: 24,018
Thanks: 10,200
Fixes: 175
Registered: ‎22-08-2007

Re: Order Processing.

Quote from: ejs
The password for the PPP auth would need to be retrievable.

I think it would be practical to store the password encrypted as a one way hash and the on PPP authentication one uses the same encryption on the supplied password and compares it to the stored hash. If they match the supplied password is deemed to be correct.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Order Processing.

Someone might think that, if they don't know how it works.
https://tools.ietf.org/html/rfc1994
Quote
[tt]2.1.  Advantages
...
  This authentication method depends upon a "secret" known only to the
  authenticator and that peer.  The secret is not sent over the link.
...
2.2.  Disadvantages
  CHAP requires that the secret be available in plaintext form.
  Irreversably encrypted password databases commonly available cannot
  be used.[/tt]

The other end does not receive a supplied password during the PPP authentication.