How are our login passwords stored on Plusnet's systems?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: How are our login passwords stored on Plusnet'...
How are our login passwords stored on Plusnet's systems?
12-08-2011 10:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Plusnet's password policy was explained by Bob Pullen when it changed in 2007. See:
https://community.plus.net/forum/index.php/topic,110.0.html
This said nothing about how Plusnet would store user passwords in order to validate logins. My experience with support indicates that at least 4 characters are stored as unencrypted text. Perhaps the complete password is stored as unencrypted text!
I would expect that all login passwords would be converted to a cryptographic hash when originally chosen and only the hash would be stored and used to validate logins. See:
https://secure.wikimedia.org/wikipedia/en/wiki/Cryptographic_hash_function
Would someone from Plusnet care to explain how my password is stored within their systems?
Re: How are our login passwords stored on Plusnet's systems?
13-08-2011 1:05 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: How are our login passwords stored on Plusnet's systems?
13-08-2011 7:33 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob ... you've really got nothing to worry about!
My question was motivated by the quest for knowledge not due to worry!
As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.
Re: How are our login passwords stored on Plusnet's systems?
15-08-2011 3:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: MartinGoose As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?
No, that's spot on
Quote from: MartinGoose It seems to me that the audit trail may be confusing if a user is changing passwords frequently.
That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.
Re: How are our login passwords stored on Plusnet's systems?
15-08-2011 7:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Matt
Quote from: MartinGoose It seems to me that the audit trail may be confusing if a user is changing passwords frequently.
That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.
My point was that the audit trail is unclear if password changes are not considered. Perhaps an example will explain.
1. Password is ABCD
2. First access is first two characters
3. Second access is last two characters
4. Audit trail shows that if both accesses are by the same individual then the full password has been disclosed.
However if the password has been changed between 2 and 3 then the full password has *not* been disclosed.
Without recording password changes the audit trail is unclear. Real cases are more complex but the same in principle.
Anyway, I don't wish to labour the point so no reply required unless my point is unclear.
Re: How are our login passwords stored on Plusnet's systems?
16-08-2011 9:54 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I think (though could be totally wrong on this) that you usually only get asked for the 1st 2 characters or the last 2 characters. The password must be between 8 and 16 characters long, so they would be missing at least 4 characters by knowing the 4 that had been asked for.
Phil
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: How are our login passwords stored on Plusnet's systems?
16-08-2011 8:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: How are our login passwords stored on Plusnet's systems?
17-08-2011 8:37 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: HighLordPhanty Surely keeping the encrypted password and the decryption key on the same system falls somewhere outside "nothing to worry about"?
I tend to agree. The login password should be checked for validity when chosen or changed and then hashed for storage. Validating the identity of persons calling the help line should be a separate issue with independent means of validation.
PS Called Plusnet again (I am having a serious REIN issue which affects several of my neighbours) and they wanted first and last characters of my password.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: How are our login passwords stored on Plusnet'...