cancel
Showing results for 
Search instead for 
Did you mean: 

Unencrypted passwords!

benoh
Grafter
Posts: 272
Registered: ‎24-08-2007

Unencrypted passwords!

So, why I was on the forum I thought I'd see if was still getting any referals, but had forgotten my password.
Click the link, and it shows you your password! WTF!
Why are you storing customer passwords in plaintext!
Ben
4 REPLIES
Community Gaffer
Community Gaffer
Posts: 17,683
Thanks: 666
Fixes: 167
Registered: ‎05-04-2007

Re: Unencrypted passwords!

As far as I'm aware the passwords are *not* stored in plain text, they are encrypted and the link you are sent via email will show you the unencrypted password when clicked.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
benoh
Grafter
Posts: 272
Registered: ‎24-08-2007

Re: Unencrypted passwords!

Quote from: Chris
As far as I'm aware the passwords are *not* stored in plain text, they are encrypted and the link you are sent via email will show you the unencrypted password when clicked.

Which would mean the encryption key is available to the webapp, so may aswell not be encrypted.  Anyone who gets access to the web servers can decrypt all the passwords anyways.
Certainly not best practice, it should be one way encrypted and a forgotten password link should allow a new password to be set.
Ben
Community Gaffer
Community Gaffer
Posts: 17,683
Thanks: 666
Fixes: 167
Registered: ‎05-04-2007

Re: Unencrypted passwords!

Hi Ben,
The one way encryption is something we have thought about and looked into, but due to the way that passwords sync across mail, webspace, adsl etc it's a very very very large piece of work as every password reset would then have the likelihood of a call into the support centre.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Community Veteran
Posts: 26,746
Thanks: 959
Fixes: 10
Registered: ‎10-04-2007

Re: Unencrypted passwords!

A significant problem is that the same password is used for the portal and for the login in your router. Reset the portal password with a forgotten password link and if they try a reconnect without resetting the password in the router and they will not be able to connect.
However there is an even worse problem than that. Resetting the portal password will also reset the password on their default mailbox. This means they won't be able to collect the email to find out what the new password is!
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)