cancel
Showing results for 
Search instead for 
Did you mean: 

Secure Password Storage

FreneticMonk
Hooked
Posts: 5
Registered: ‎26-12-2017

Secure Password Storage

I've just spoken to a very friendly person in customer services (great on that front) who asked for two characters of my password. I was a little taken aback since what company does that in 2017?

 

Does anyone know how they verify these characters? Presumably they're not held in plaintext since with GDPR coming up they'd be getting a rather hefty fine very soon. I've found one third party blog post which suggests how you could create a secure partial password verification process here, but with another human doing the verifying over an unsecure phone line there's an obvious flaw to the implementation.

37 REPLIES 37
jab1
Legend
Posts: 16,815
Thanks: 5,339
Fixes: 248
Registered: ‎24-02-2012

Re: Secure Password Storage

My energy provider asks for verification info over the phone, at least one other ISP I know does. I do not know, so could be wrong here and I know PN won't confirm or deny (for obvious reasons), but I would imagine the advisor is only presented with the characters they ask you to provide, and not the full data.

John
FreneticMonk
Hooked
Posts: 5
Registered: ‎26-12-2017

Re: Secure Password Storage

I would expect PN to verify my identity, but I don't expect them to ask me to compromise my online account password in the process. Most companies are happy to confirm that they store all passwords as a salted hash, as should be standard, so if PN decline to comment we can only assume the worst case scenario.

 

I don't have so much of a problem with customer services seeing part of the password (although this is an issue), but if the data is stored in either plain text or with a reversible encryption method then any data breach would result in more information being exposed than necessary.

ScottStorey
Pro
Posts: 410
Thanks: 130
Fixes: 1
Registered: ‎21-02-2013

Re: Secure Password Storage

It's not hashed. It can't be, if it was, CS wouldn't have any characters.

It's either encrypted and reversable or just plain text.
FreneticMonk
Hooked
Posts: 5
Registered: ‎26-12-2017

Re: Secure Password Storage

Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?
Alex
Community Veteran
Posts: 5,500
Thanks: 921
Fixes: 13
Registered: ‎05-04-2007

Re: Secure Password Storage

The only way I can see it is:

  1. The passwords are encrypted with something like MD5 - which can be reversed engineered.
  2. Plain text. I'm not being sarcastic but I had an on-line company about 10 years ago had their plain password table hacked and then we were told to change our passwords. Worse case scenario.
  3. The 2 letters are stored in a separate table or field linking to the primary key of the password table. A way I would implement it is to have a trigger to update those fields when the main password field (from the other table) would change. Before encryption has been performed. Produce the two letters then encrypt the whole password into main password table. Then any letter check would have to come from those two fields not the encrypted password table. If you decide to change password via the Portal, then the update coming from there would update the letter check field.

It could be even better than that, when a new password trigger is activated, get the length of the new one and select two random chararacters and update the checksum database.

Can't really have more than two though I guess or you can argue it has your whole uncryted password. Shocked

jab1
Legend
Posts: 16,815
Thanks: 5,339
Fixes: 248
Registered: ‎24-02-2012

Re: Secure Password Storage


@FreneticMonk wrote:
Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?

I'm happy - so far as I'm aware, PN have only had their password storage hacked once - before I became a member - and at that time, I am given to understand, had some really bright people on board, so I'm guessing there was some effective action taken.

Just think yourself lucky you're not with TalkTalk, they leak like a colander.

John
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Secure Password Storage

jab1
Legend
Posts: 16,815
Thanks: 5,339
Fixes: 248
Registered: ‎24-02-2012

Re: Secure Password Storage

Thanks for the correction, @Oldjim - as I said, it was before my time here, and Iwasn't aware of the full details. So it wasn't anything really worrying.

John
Alex
Community Veteran
Posts: 5,500
Thanks: 921
Fixes: 13
Registered: ‎05-04-2007

Re: Secure Password Storage


jab1 wrote: 

Just think yourself lucky you're not with TalkTalk, they leak like a colander.


I know @jab1, it is always concerning (to PlusNet I mean) whether PlusNet will be subject to an attack, being quite a high profile place.

I've worked for companies who you wouldn't know of, who were worried about the same thing.

You still get high profile companies hacked. Happened before, and will happen again.

P.S. On a lighter note, this thread does remind of the Harry Enfield sketch "You don't want to to it like that, you want to do it like this!".

Let be honest, how many people on here have bumped into people like that. I mean staff and non-staff too. Tongue

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Secure Password Storage

MD5 is not an encryption algorithm, it's a hash function.

This issue has been raised a few times before.

The problem probably originates from using the same password to access your account on the Plusnet website and for the PPP connection the router makes. Both ends of the PPP connection need to know the plaintext of the password.

So before you start considering better ways to store the password, you need to have different passwords for the account and for the PPP connection.

malky3200
Dabbler
Posts: 17
Thanks: 2
Registered: ‎04-05-2018

Re: Secure Password Storage

I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer.  The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised


1- Of course I immediately changed my password.
2- I asked plusnet "When will you be encrypting the passwords ?"
     answer : "April the 17th 2018"
3- On the 19th of April I called back and asked if the passwords were enrypted or not.  After the getting past the inevitable irrelevance of "we can only see 2 characters".  The answer was "don't know", then on further investigation I was told that they had implemented the encryption of all account passwords on April the 17th 2018.
This does verify what I was told a month before.  Therefore my guess is they have encrypted passwords, although clearly they can be reversed engineered, as they still ask for the 2 characters.
4- I changed my password once more.

If your password has not been changed since the 17th of April 2018 then in theory you are still vulnerable.  Since no one of course knows if your password was read and captured before the 17th.
So if you are going to play it safe and change the plusnet password then be sure to also change on any email client that may be using the account password by default.  And if you have a non-plusnet router you will need to change the plus net account password there also (not to be confused with the router password)

So on a day where twitter have done the right thing still there is no mention or even a hint of plus net customers being recommended to change their passwords.  I have asked plus net this twice and they appear to have no plans to inform their customers.  Looks like plus net are doing the "Hope Approach".

Alex
Community Veteran
Posts: 5,500
Thanks: 921
Fixes: 13
Registered: ‎05-04-2007

Re: Secure Password Storage

The best course of action in my opinion is to use a separate password for each account you have. With so many on-line accounts requiring passwords it can be a nightmare I know.

You have no control (not just talking about PlusNet - any company) on how they store it and how secure their platform is.

So if your PlusNet password were to be hacked, that is it. Only any use there and not elsewhere.

I keep an Excel sheet of my passwords for each company I use.

malky3200
Dabbler
Posts: 17
Thanks: 2
Registered: ‎04-05-2018

Re: Secure Password Storage

you'd be better using a encrypted password safe program
an Excel spreadsheet is hardly secure
plus a password safe/encryption program is very good indeed at generating strong passwords
in addition they are easier to use as such programs have functions that help with the process in ways that excel cannot

 

JonoH
Hero
Posts: 4,346
Thanks: 1,596
Fixes: 157
Registered: ‎29-09-2011

Re: Secure Password Storage


@malky3200 wrote:

I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer.  The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised

I'm sorry that you were misinformed by one of our agents, whilst we generally for security purposes won't comment on our security methods I'm happy to debunk this myth. I'll be really clear but won't for reasons previously stated comment further.

 

We go to great lengths to ensure we protect and secure our customer data. Passwords are, and always have been, encrypted in our database.

We take the protection of our customers’ data extremely seriously and have a number of robust and resilient measures in place, which we constantly test and review

 

 Jono H
 Plusnet Community Manager