@plutox wrote:

The change you have just made will affect your Internet connection

If customers are using automatic hardware setup and our router, it shouldn't have any effect on the broadband connection as it will be updated through the auto hardware setup.

However I'm happy to pass your feedback on.

If this post resolved your issue please click the 'This fixed my problem' button

Harry Beesley  Plusnet

The above is all true when one is using a Plusnet-supplied router, which I am not. Likewise, I had to perform a password reset (i.e. the procedure for a forgotten password) as opposed to a more-organized routine password change.

It is obviously a compromise whether one accepts the convenience and loss of security of allowing an ISP remote control of its client's modems. Perhaps I am paranoid, but, for me, this is a security lapse too far.

But perhaps it's a good time to ask: why, when providing a service to a fixed line at a known location, is it necessary to add the complication of any kind of authentication at all? The telephone system has worked for 100+ years without any real need for authentication - why does the addition of DSL change this?

On a fixed, hard-wired telephone line, yes. I have had ADSL services that did not require any kind of authentication.

As I said, the telephone service has never required authentication in over a hundred years and spread over five continents. While, in some circumstances, it is possible to bridge-tap another's line and make use of such for voice services, the legitimate user would quickly be reporting faults if a felon attempted such tactics on a DSL line.

I used to be a Sky broadband user when they bought O2 and the username/password was the same for everybody that came from O2 LLU, it's hardly authentication!

There was no authentication with O2 LLU, I think IPOE was the connection method IIRC

---

@chenks76 wrote:
the ADSL service would have required authentication. it may just have been hard coded into the modem or router (similar to how sky routers are configured).

---

I was with BEthere before they went south and used a generic Netgear modem - no authentication required. In fact, BEthere were quite progressive insofar as they were truly happy for punters to use their own modems. Quite unlike Sky which did implement a truly awkward and deliberately tricky authentication scheme.

So let's get back to my question. Precisely what purpose is served by requiring authentication on a xDSL system that is hard-wired to a permanent address i.e. using much the same wiring method that has been used for phones, without authentication, for a hundred years?

@chenks76 wrote:
don't recall ADSL being used for a hundred years.

You do yourself no credit with sarcasm.

---

@chenks76 wrote:
unless the telephone number of the line is transmitted at the time of connection then how else would the ISP know it's you that is connected, and thus bill you accordingly for useage etc.

---

For a fixed-line installation, the mechanics of authenticating an xDSL line are little different from authenticating for the purpose of billing telephone calls. Because a given line is hard-wired to a particular subscriber at a known address, what purpose is served by further authentication? Even if data consumption is sold per megabyte, the ISP knows, at any one time, the amount of data served to a given subscriber at the end of a particular phone line. Throughout the history of telecomms, one thing that suppliers traditionally developed exceedingly well is the billing system

In many respects, the need for authentication on a fixed-line phone/DSL installation is not far removed from the idea of ‘authenticating’ your gas or electricity supply.

OK, it is possible to bridge-tap a telephone line somewhat more easily than it is to ‘bridge-tap’ your neighbours' gas supply, but whereas doing so on a voice only line could be quite an effective way of nicking someone else's phone service, such a technique is unlikely to work well enough to be worthwhile when xDSL is involved – creating a bridge-tap will almost certainly play such havoc with the legitimate user's service that the engineers would be out like a shot and discover the felony.

Despite the relative ease of stealing usage from a neighbour's voice line it is interesting to note that, for the most part, Telecom suppliers worldwide have hardly felt the need to authenticate the users of fixed-line installations for the past hundred years.

While my parallel between fixed-line phone supply and electricity supply is not supposed to be taken too literally, the only functional difference from the billing perspective is that the latter places the metering in or near the subscribers' premises while the former meters within the Telcom's private property and is, in that respect, rather more secure. So why bother with authentication?

Regardless of the mechanics of the line and the authentication requirements in general I find it rather strange having the PPP password the same as the control panel password. I spent a morning trying to find the PPP password on a new connection only to find that it was the account password.

Probably not a problem for most connections with a Plusnet supplied pre-configured router but I was at a clients premises waiting for them to give me their PPP details. In the end they had to reveal to me their Plusnet account password, which they should never reveal to anyone, and this password is now viewable from the control panel of the router used.

So from a security practice PoV this is terrible, if a customer complained about having details compromised and told this story I would say it all sounds like a scam and I am not surprised you have been compromised. I would also say that if it was one of my own customers I would say if you have given your password to some random person (OK, they are in the customers employ I suppose but still) then they are at fault for whatever happens from that point forwards.

So in short, I don't see why the PPP password needs to match the account. I have never ever seen this with any provider (after setting up hundreds of connections with many tens of ISPs).

---

Lurch wrote:...from a security practice PoV this is terrible,

Indeed. I'm also concerned about the possibility of this password being hacked directly out of the router/modem; recent history supports the argument that the security of such devices is, typically, not what it ought to be.