In similar situations I tend to take the name and department of the caller then say I will call back shortly.

Then I obtain the relevant number from the company website or use an already-known-to-me number.

I then ring a different number (usually my own mobile or landline) to verify that my line hasn't been hacked as in being kept open with the scammers sending the relevant tone(s) before ringing back happy to go through any DP necessary.

A bit of a hassle but feel it is the best option to maintain security integrity.

Can you imagine trying to phone Plusnet?

OK, for those people who asked.  Here's a more detailed time line.

1. Plusnet called me.
2. Plusnet asked for personal information to identify myself.
3. I refused, since I didn't know who the caller was.
4. The caller opened a ticket on Plusnet's system about the call.
5. An email arrived from Plusnet about the ticket.
6. I checked that the links in the email really went to Plusnet's web site, then clicked on the link.
7. The link went to the ticket about the call.
8. The caller asked for my name, address and phone number which I gave.
9. The caller asked for characters from my password.
10. I hung up on the caller.
11. I used the ticket that had just been opened to make a complaint about the call.

so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.

you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?

---

@chenks76 wrote:

so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.

you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?

---

First issue - you just don't do that.  There are so many scammers around trying steal personal details.  The last thing any company should do is to train its customers that it is appropriate to give account information like that to someone who calls out of the blue.

Second - it tells me that Plusnet are not storing my password securely.  My main account password should be stored in such a way that it is impossible to retrieve my password from the system - only to verify the next time I log in that I have typed in the same password as I did when I opened the account.  That is the only way to keep my password secure from hackers or malicious insiders.  If it is possible to verify that two characters are from my password, then they cannot have done that.  If Plusnet want some kind of phone verification word, then that should be totally separate from the account password.  But they would have to deal with customers forgetting it, because they will if they don't phone regularly.

First I don't see what your problem is here ok calls out of the blue and giving info out i can kind of understand but you then went and found it to actually be Plusnet you were dealing with but still had a problem because they wanted to verify it was YOU by requesting a couple of characters from your password which is standard practice for the majority of companies.

Secondly when it comes to password verification where I Work uses the same process as do many other companies, the staff DO NOT see the password nor can they retrieve or request it, two or three characters appear on the screen as it is with online shopping where the last 3 or 4 digits of a credit / debit card can be seen at checkout the rest is fully encrypted, the staff ask the customer to confirm the characters they see, they have no idea what the password is, it's length or anything else related to it its not their concern.

But if Plusnet ask for a different pair of characters each time, they must store the password in both a plain text and an encrypted form.

When I make a connection with my router is my password sent in an encrypted form?

https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol

CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.

Winds me up this - I'm not a Plusnet customer because of this reason.

I got asked for "select characters" of my password twice, each person asked for different parts of the password.

If that's the case, how long until someone is able to piece together my password? 

That's not really my main concern though - my main concern is that companies of this size are a target for attacks and data theft. Since Plusnet do not store the passwords in a hashed form, it makes it a million times easier for someone to steal the password data for the whole user-base. 

We aren't talking address/mail details here, we are talking passwords which people may not realise are not stored securely that people may have used elsewhere (yes it's not good practice to use the same password for multiple sites but people do it).

It's Plusnet's responsibility to adopt industry best practices. I've heard that the same password is used for your online account, CHAPS authentication, phone verification...

Plusnet, all you need to do is introduce a couple of separate passwords for these mechanisms or you are introducing a massive weakness into your systems and putting thousands of customer's privacy at risk.

Stop trying to defend Plusnet - it's an easily remedied issue.

Here's a short story - when I was a lot younger, messing about with PHP websites, I wrote one for my friends online gaming clan. At that time I didn't know much about password hashing or best-practice, and I stored passwords in plain-text at the back end.

Since a friend of mine used the same password on the site as his machine administrator password, I managed to remotely use his c$ share and log-in as the administrator on his machine. This gave me access to his whole file system. I left a few troll text files around here and there. 

Now some of this isn't as easy anymore, but I was a 14/15 year old kid who managed to compromise someone's personal machine on a whim, what if I'd been a malicious person intent on stealing data?

You forgot that Plusnet now also issue router admin passwords and wifi passwords (which I guess few people change).

have a look at this post I just made regarding Plusnet passwords being stored as cleartext....

the have recently improved matters
admittedly not everyone will be 100% chuffed but it is an improvement, (IF YOU KNOW ABOUT IT AND TAKE ACTION)