Order Processing.

leonaplusnet · ‎11-01-2016

Not sure where I can post this, but I have noticed an error on the order tracing page,
On the Broadband part is states

Quote
Your order is due to complete
The engineer appointment to install your broadband service is booked for %appointmentDate% between %appointmentStartTime% and %appointmentFinishTime%.

So a little quality control would be of use here.
I'm also concerned about parts of passwords being printed in letters, see my other post, does this mean PlusNet are storing plain text passwords, (ie not encrypted)

HarryB · ‎25-03-2015

This is the right place for this post.
Thanks for the feedback, I'll get that flagged up tomorrow when I'm back in work.
In regards to the passwords, no we do not store these as plain text.

If this post resolved your issue please click the 'This fixed my problem' button

Harry Beesley
Plusnet

ejs · ‎10-06-2010

But the passwords are stored so that the plain text of the password can be retrieved. This issue must have been raised numerous times over the years. Changing it would require having one password for the member centre, and another password for the PPP authentication the router does when it connects to Plusnet. The password for the PPP auth would need to be retrievable.

leonaplusnet · ‎11-01-2016

Thank you HarryB, look forward to the results of your investigation.
Indeed EJS, the password for our online account should NOT be the same as for our Broadband access, as this password can be 'sniffed' or otherwise recovered and then used to log into our on-line accounts, this is surly a very high security risk, with the attach on TalkTalk very recently, (my previous supplier, thankfully my data wasn't stolen) my anxiety level is Very high, I am a software developer with experience in the area of security and I can see that there is a security hole here that needs to be closed before another school kid decides to take advantage of it
While you might not store them as plain text, they are being decrypted, this shouldn't be possible, they should be hashed and salted, then a comparison performed to compare patterns, they should not be retrievable and most certainly not printed in letters!
Our online account have our bank, home and personal details, this would allow anyone who comprised your system to use this data illegally, I surely don't have to highlight how much damaging this would be, maybe over reacting but, as I said I've been bitten before by poorly secured systems, I don't want to be a victim of another, I need reassurance, backed up with evidence that your systems are secure, ie, do you run penetration tests, security checks, monitoring, etc?

Townman · ‎22-08-2007

Quote from: ejs
The password for the PPP auth would need to be retrievable.

I think it would be practical to store the password encrypted as a one way hash and the on PPP authentication one uses the same encryption on the supplied password and compares it to the stored hash. If they match the supplied password is deemed to be correct.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

ejs · ‎10-06-2010

Someone might think that, if they don't know how it works.
https://tools.ietf.org/html/rfc1994

Quote
[tt]2.1. Advantages
...
This authentication method depends upon a "secret" known only to the
authenticator and that peer. The secret is not sent over the link.
...
2.2. Disadvantages
CHAP requires that the secret be available in plaintext form.
Irreversably encrypted password databases commonly available cannot
be used.[/tt]

The other end does not receive a supplied password during the PPP authentication.