How are our login passwords stored on Plusnet's systems?

MartinGoose · ‎08-10-2010

Whilst dealing with Plusnet support over a broadband fault using the ticket system, I felt the need to make a couple of phone calls as well. With both calls originated by me, the support person asked for a couple of characters from my logon password. Firstly I was asked for the last 2 characters and on the second call the first 2 characters. I started to query what was going on but thought it might detract from the main purpose of the call so I let it drop.
Plusnet's password policy was explained by Bob Pullen when it changed in 2007. See:
https://community.plus.net/forum/index.php/topic,110.0.html
This said nothing about how Plusnet would store user passwords in order to validate logins. My experience with support indicates that at least 4 characters are stored as unencrypted text. Perhaps the complete password is stored as unencrypted text!
I would expect that all login passwords would be converted to a cryptographic hash when originally chosen and only the hash would be stored and used to validate logins. See:
https://secure.wikimedia.org/wikipedia/en/wiki/Cryptographic_hash_function
Would someone from Plusnet care to explain how my password is stored within their systems?

bobpullen · ‎04-04-2007

All passwords are stored encrypted at the database level, and there's a very accurate audit trail showing who has accessed parts of an individual's password. In summary, you've really got nothing to worry about!

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

MartinGoose · ‎08-10-2010

Quote from: Bob
... you've really got nothing to worry about!

My question was motivated by the quest for knowledge not due to worry!
As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.

orbrey · ‎18-07-2007

Quote from: MartinGoose
As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?

No, that's spot on

Quote from: MartinGoose
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.

That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.

MartinGoose · ‎08-10-2010

Quote from: Matt
Quote from: MartinGoose
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.

That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.

My point was that the audit trail is unclear if password changes are not considered. Perhaps an example will explain.
1. Password is ABCD
2. First access is first two characters
3. Second access is last two characters
4. Audit trail shows that if both accesses are by the same individual then the full password has been disclosed.
However if the password has been changed between 2 and 3 then the full password has *not* been disclosed.
Without recording password changes the audit trail is unclear. Real cases are more complex but the same in principle.
Anyway, I don't wish to labour the point so no reply required unless my point is unclear.

pjmarsh · ‎06-04-2007

Hi Martin
I think (though could be totally wrong on this) that you usually only get asked for the 1st 2 characters or the last 2 characters. The password must be between 8 and 16 characters long, so they would be missing at least 4 characters by knowing the 4 that had been asked for.
Phil

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

HighLordPhanty · ‎30-07-2007

Surely keeping the encrypted password and the decryption key on the same system falls somewhere outside "nothing to worry about"?

MartinGoose · ‎08-10-2010

Quote from: HighLordPhanty
Surely keeping the encrypted password and the decryption key on the same system falls somewhere outside "nothing to worry about"?

I tend to agree. The login password should be checked for validity when chosen or changed and then hashed for storage. Validating the identity of persons calling the help line should be a separate issue with independent means of validation.
PS Called Plusnet again (I am having a serious REIN issue which affects several of my neighbours) and they wanted first and last characters of my password.

How are our login passwords stored on Plusnet's systems?

How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?

Re: How are our login passwords stored on Plusnet's systems?