I think the issue is (if I'm reading it correctly), is it possible for anyone on an outside network (I say possible, not feasible) and obtain peoples usernames and passwords in an unencrypted format or are the passwords inside PN's system on a separate network where even if PN's internal servers were compromised there would be no possible way for the persons doing it to obtain the information?  For instance, the link you describe for your staff to view the password, can it only be viewed by an IP address that comes from the internal network and such?

It's on a internal. secure network, only staff with registered accounts can log in with their secure passwords or keyfobs.

Then I really can't see any issue with PN having the passwords unencrypted as there is no way for them to be taken internally.  I naturally assume that all passwords which are not internal (for instance, logging into the portal or DSL login details) are encrypted?

Hi David, appreciate your point of view,

Quote from: David

I naturally assume that all passwords which are not internal (for instance, logging into the portal or DSL login details) are encrypted?

My understanding of the preceeding statements is that, DSL login details, and portal (as opposed to forum) passwords are one and the same, and unencrypted.
Having a few years of IT security experience behind me there are many many facets to consider.  For example, if a hacker can hack into the internal network, having the passwords on the internal secure network provides no additional security.
Next up, as the staff need registered accounts, secure passwords etc, we should consider aspects of their staff joiner, leaver and screening policies, their internal password policy, and the proven or otherwise efficiency of the mechanism used to allow access to the passwords.   And more.  A good example would be that you'd hope Plusnet are ISO 27002 certified, or at least trying to behave like they are.
What I think I'm saying is that demonstrating that the passwords are unencrypted yet securely stored, is pretty complex.

One way to find out if the portal is hashed is to use the "forgot my password" feature, if the password is sent to you then it isn't hashed, if however the password is reset then it would tend to lean towards it being hashed as the password isn't known to return it to you.
I checked, it gave me my password and displayed it which means all our passwords are available on the outside network and are stored unencrypted, this is a bit of a security risk I do agree.

Passwords are like underwear. You shouldn't leave them out where people can see them. You should change them regularly. And you shouldn't loan them out to strangers! - An easy way of keeping secure! 
That aside, I think PN is totally flawed due to the un + e mail combo - give out your email address and you've given half your security away! Hence we do not use PN for email.
I think PN should implement a mem word system with 3 characters of mem word to use before a log in, also 3 to be used over the phone so full words / passwords / user names aren't used or seen, it only takes one member of the PNCST to wreak havoc! 
Look at what has happened to Sony! It isn't if it will happen, it is 'when' it will happen.
Come on PN time to tighten up, lock down, get secure - and for users out there, don't use McCoffee Anti Caffine.