cancel
Showing results for 
Search instead for 
Did you mean: 

How are our login passwords stored on Plusnet's systems?

MartinGoose
Dabbler
Posts: 14
Registered: 08-10-2010

How are our login passwords stored on Plusnet's systems?

Whilst dealing with Plusnet support over a broadband fault using the ticket system, I felt the need to make a couple of phone calls as well. With both calls originated by me, the support person asked for a couple of characters from my logon password. Firstly I was asked for the last 2 characters and on the second call the first 2 characters.  I started to query what was going on but thought it might detract from the main purpose of the call so I let it drop.
Plusnet's password policy was explained by Bob Pullen when it changed in 2007. See:
https://community.plus.net/forum/index.php/topic,110.0.html
This said nothing about how Plusnet would store user passwords in order to validate logins.  My experience with support indicates that at least 4 characters are stored as unencrypted text. Perhaps the complete password is stored as unencrypted text!
I would expect that all login passwords would be converted to a cryptographic hash when originally chosen and only the hash would be stored and used to validate logins.  See:
https://secure.wikimedia.org/wikipedia/en/wiki/Cryptographic_hash_function
Would someone from Plusnet care to explain how my password is stored within their systems?
7 REPLIES
Community Gaffer
Community Gaffer
Posts: 13,423
Thanks: 1,184
Fixes: 92
Registered: 04-04-2007

Re: How are our login passwords stored on Plusnet's systems?

All passwords are stored encrypted at the database level, and there's a very accurate audit trail showing who has accessed parts of an individual's password. In summary, you've really got nothing to worry about! Cool

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

MartinGoose
Dabbler
Posts: 14
Registered: 08-10-2010

Re: How are our login passwords stored on Plusnet's systems?

Quote from: Bob
... you've really got nothing to worry about! Cool

My question was motivated by the quest for knowledge not due to worry!
As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.
Plusnet Alumni (retired) orbrey
Plusnet Alumni (retired)
Posts: 10,540
Registered: 18-07-2007

Re: How are our login passwords stored on Plusnet's systems?

Quote from: MartinGoose
As I understand what you say:
1. My password is stored encrypted in your system.
2. The key to decrypt my password is stored in your system.
3. The system will decrypt my password on demand by Plusnet staff and display two consecutive characters from my password for caller validation.
4. The position of the characters used and staff ID are logged for audit purposes.
5. The decrypted password is 'dropped'.
Is this correct? Have I missed anything significant?

No, that's spot on
Quote from: MartinGoose
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.

That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.
MartinGoose
Dabbler
Posts: 14
Registered: 08-10-2010

Re: How are our login passwords stored on Plusnet's systems?

Quote from: Matt
Quote from: MartinGoose
It seems to me that the audit trail may be confusing if a user is changing passwords frequently.

That shouldn't make any difference? The auditing is done based on agent logins visiting your account and viewing the password letters, no matter what the password is set as.

My point was that the audit trail is unclear if password changes are not considered. Perhaps an example will explain.
1.  Password is ABCD
2.  First access is first two characters
3.  Second access is last two characters
4.  Audit trail shows that if both accesses are by the same individual then the full password has been disclosed.
However if the password has been changed between 2 and 3 then the full password has *not* been disclosed.
Without recording password changes the audit trail is unclear.  Real cases are more complex but the same in principle.
Anyway, I don't wish to labour the point so no reply required unless my point is unclear.
Superuser
Superuser
Posts: 2,883
Thanks: 576
Fixes: 5
Registered: 06-04-2007

Re: How are our login passwords stored on Plusnet's systems?

Hi Martin
I think (though could be totally wrong on this) that you usually only get asked for the 1st 2 characters or the last 2 characters.  The password must be between 8 and 16 characters long, so they would be missing at least 4 characters by knowing the 4 that had been asked for.
Phil
HighLordPhanty
Grafter
Posts: 54
Registered: 30-07-2007

Re: How are our login passwords stored on Plusnet's systems?

Surely keeping the encrypted password and the decryption key on the same system falls somewhere outside "nothing to worry about"?
MartinGoose
Dabbler
Posts: 14
Registered: 08-10-2010

Re: How are our login passwords stored on Plusnet's systems?

Quote from: HighLordPhanty
Surely keeping the encrypted password and the decryption key on the same system falls somewhere outside "nothing to worry about"?

I tend to agree.  The login password should be checked for validity when chosen or changed and then hashed for storage.  Validating the identity of persons calling the help line should be a separate issue with independent means of validation.
PS Called Plusnet again (I am having a serious REIN issue which affects several of my neighbours) and they wanted first and last characters of my password.