cancel
Showing results for 
Search instead for 
Did you mean: 

Secure Password Storage

FreneticMonk
Hooked
Posts: 5
Registered: 26-12-2017

Secure Password Storage

I've just spoken to a very friendly person in customer services (great on that front) who asked for two characters of my password. I was a little taken aback since what company does that in 2017?

 

Does anyone know how they verify these characters? Presumably they're not held in plaintext since with GDPR coming up they'd be getting a rather hefty fine very soon. I've found one third party blog post which suggests how you could create a secure partial password verification process here, but with another human doing the verifying over an unsecure phone line there's an obvious flaw to the implementation.

10 REPLIES
jab1
Seasoned Pro
Posts: 1,699
Thanks: 331
Fixes: 5
Registered: 24-02-2012

Re: Secure Password Storage

My energy provider asks for verification info over the phone, at least one other ISP I know does. I do not know, so could be wrong here and I know PN won't confirm or deny (for obvious reasons), but I would imagine the advisor is only presented with the characters they ask you to provide, and not the full data.

John
FreneticMonk
Hooked
Posts: 5
Registered: 26-12-2017

Re: Secure Password Storage

I would expect PN to verify my identity, but I don't expect them to ask me to compromise my online account password in the process. Most companies are happy to confirm that they store all passwords as a salted hash, as should be standard, so if PN decline to comment we can only assume the worst case scenario.

 

I don't have so much of a problem with customer services seeing part of the password (although this is an issue), but if the data is stored in either plain text or with a reversible encryption method then any data breach would result in more information being exposed than necessary.

ScottStorey
Aspiring Pro
Posts: 366
Thanks: 61
Fixes: 1
Registered: 21-02-2013

Re: Secure Password Storage

It's not hashed. It can't be, if it was, CS wouldn't have any characters.

It's either encrypted and reversable or just plain text.
FreneticMonk
Hooked
Posts: 5
Registered: 26-12-2017

Re: Secure Password Storage

Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?
Community Veteran
Posts: 3,231
Thanks: 244
Fixes: 3
Registered: 05-04-2007

Re: Secure Password Storage

The only way I can see it is:

  1. The passwords are encrypted with something like MD5 - which can be reversed engineered.
  2. Plain text. I'm not being sarcastic but I had an on-line company about 10 years ago had their plain password table hacked and then we were told to change our passwords. Worse case scenario.
  3. The 2 letters are stored in a separate table or field linking to the primary key of the password table. A way I would implement it is to have a trigger to update those fields when the main password field (from the other table) would change. Before encryption has been performed. Produce the two letters then encrypt the whole password into main password table. Then any letter check would have to come from those two fields not the encrypted password table. If you decide to change password via the Portal, then the update coming from there would update the letter check field.

It could be even better than that, when a new password trigger is activated, get the length of the new one and select two random chararacters and update the checksum database.

Can't really have more than two though I guess or you can argue it has your whole uncryted password. Shocked

jab1
Seasoned Pro
Posts: 1,699
Thanks: 331
Fixes: 5
Registered: 24-02-2012

Re: Secure Password Storage


FreneticMonk wrote:
Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.

So everyone is fine with this? Are levels of apathy regarding our personal information really this high?

I'm happy - so far as I'm aware, PN have only had their password storage hacked once - before I became a member - and at that time, I am given to understand, had some really bright people on board, so I'm guessing there was some effective action taken.

Just think yourself lucky you're not with TalkTalk, they leak like a colander.

John
Community Veteran
Posts: 38,434
Thanks: 1,012
Fixes: 60
Registered: 15-06-2007

Re: Secure Password Storage

jab1
Seasoned Pro
Posts: 1,699
Thanks: 331
Fixes: 5
Registered: 24-02-2012

Re: Secure Password Storage

Thanks for the correction, @Oldjim - as I said, it was before my time here, and Iwasn't aware of the full details. So it wasn't anything really worrying.

John
Community Veteran
Posts: 3,231
Thanks: 244
Fixes: 3
Registered: 05-04-2007

Re: Secure Password Storage


jab1 wrote: 

Just think yourself lucky you're not with TalkTalk, they leak like a colander.


I know @jab1, it is always concerning (to PlusNet I mean) whether PlusNet will be subject to an attack, being quite a high profile place.

I've worked for companies who you wouldn't know of, who were worried about the same thing.

You still get high profile companies hacked. Happened before, and will happen again.

P.S. On a lighter note, this thread does remind of the Harry Enfield sketch "You don't want to to it like that, you want to do it like this!".

Let be honest, how many people on here have bumped into people like that. I mean staff and non-staff too. Tongue

Community Veteran
Posts: 4,975
Thanks: 372
Fixes: 16
Registered: 10-06-2010

Re: Secure Password Storage

MD5 is not an encryption algorithm, it's a hash function.

This issue has been raised a few times before.

The problem probably originates from using the same password to access your account on the Plusnet website and for the PPP connection the router makes. Both ends of the PPP connection need to know the plaintext of the password.

So before you start considering better ways to store the password, you need to have different passwords for the account and for the PPP connection.