Customer passwords should NEVER be accessible to support technicians
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Customer passwords should NEVER be accessible to s...
Customer passwords should NEVER be accessible to support technicians
18-04-2015 3:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Firstly, not even considering your support technicians, passwords should always be stored using a one-way hash anyway, which means they are not stored in plain text and the encrypted form cannot be reversed back to their original form.
Secondly, if they are actually stored using two-way encryption (which is bad enough as it is), allowing your employees to access this information is a huge security risk. Not only does it take one rogue employee to ruin everything, it also creates a large number of entry points for a potential external hacker to gain access to everyone's passwords and everyone's accounts.
Where does Plusnet stand on this? I've read the same complaint from at least three years ago and still nothing has been done? Seems like it's only going to be a matter of time before your databases are breached and we have another high-profile breach (c.f. Yahoo, Moonpig, Twitch, amongst others).
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 4:17 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The assistant won't have access to the whole p/word.
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 7:21 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Many banks use a similar method when you contact them to verify that you are who you say you are.
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 7:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken.
adie:quote
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 8:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 8:14 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The difference here is that Plusnet store passwords in (at best) two-way encryption and allow employees access to this information.
Edit: This is a quote from a Plusnet employee in 2007 (yes, 8 years ago) and it seems practices haven't changed since then:
Quote Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
adie:quote
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 8:41 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 9:21 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm reasonably certain other companies have done the same in the past.
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 10:34 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 10:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
as well as the usual personal/address confirmation info, they wanted
1. a certain 2 digits from my password
2 The full name/place/thing whatever of a particular memorable word.
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 10:45 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 10:59 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 11:00 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 11:05 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Their system may be better still in that the support agent is told which letters to ask for and then told if the answer given was correct? I don't see any difference here to what my bank does...
Re: Customer passwords should NEVER be accessible to support technicians
18-04-2015 11:51 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
1. The support agents have in the past been able to see the full password and there's no evidence that this has changed
2. Instead of emailing a password reset email, Plusnet are one of the only remaining companies to actually display my password in plaintext when I use the 'forgotten password' link (and that's bad enough on its own!)
3. Banks have the technology and security to do this properly where Plusnet clearly doesn't (see point 2)
It's 2015 and using reversible encryption is just asking for trouble. It's a shame that Plusnet will only realise this when they get bitten in the bum by a hacker.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Customer passwords should NEVER be accessible to s...