Password requirements mismatch causes automatic configuration to fail

munchingfoo · Monday

Just joined plusnet today.

My router said it was connected to the internet, but my devices were showing no internet.

1hr of fault finding later, I've discovered a very simple bug that causes automatic router modem configuration to fail.

The password requirements for a user account on first registration are not the same as those required for the broadband authentication. My password manager selected a 20 character random password for my account password, which was allowed, but the broadband authentication system's password requirements are a maximum of 18 characters.

As the initial account password is used as the automatic set up password for broadband, this causes the system to fail and remain in the setup@plusdsl.net user stage. This stage shows all green (and blue light) for internet, but only gives access to the plus.net domain.

The fix for someone like me who knows what they are doing is to reset your own account password to meet the broadband account requirements then reconnect, but a better solution would be for plusnet to apply the same password requirements to both account creation and broadband authentication.

Please fix for everyone's future sanity, I can't get my hour of life back but maybe you can save others in the future.

Champnet · ‎25-07-2007

If you know what you're doing why select a 20 character random password ?

You're creating your own problems.

munchingfoo · Monday

There is no indication when signing up for the first time on a plusnet user account on a website that those same account credentials will be later used for broadband authentication.

20 character passwords are the default for my password manager out the box, and this is the first time that a hidden issue like this has ever occurred.

If you can't see why having two different password requirements enforced on the same password is a massive problem that would take a competent software engineer less than an hour to correct for all future interactions, then, respectfully, you don't know what you are doing.

HPsauce · ‎02-02-2008

@munchingfoo @Champnet There are other devious mismatches too as I have mentioned in the past.

I can't recall the exact details now but the rules around special characters are different for the account password and router broadband login!

That got me confused until I worked it out and I'm an IT person who was just trying to change a password - and not even making it particularly long!

Baldrick1 · ‎30-06-2016

@munchingfoo wrote:

If you can't see why having two different password requirements enforced on the same password is a massive problem that would take a competent software engineer less than an hour to correct for all future interactions, then, respectfully, you don't know what you are doing.

It might take less than an hour to change the code, but I suspect that the time required for all the checks, balances and testing required to justify and change critical live business software would be a totally different matter.

The problem with any software is that there are invariably ways of breaking it by not following the instructions, and sometimes by following them. I mention the latter on recalling a customer in my previous life who complained that an instruction we had given was: 'press any key'. Having tried every one he discovered that the Escape key wouldn't work and insisted that we changed the instructions.

I would question the justfication for using a 20 bit random password generator. In practical real world terms this is a total overkill.

Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'

Townman · ‎22-08-2007

The principle is reasonable; at the very least the guidance on password constraints should not permit the creation of a password which cannot be accepted by the router. It being enforced via software though being very desirable is not essential, but the absence of the correct guidance is indefensible.

I’ve escalated the observation.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

Champnet · ‎25-07-2007

@Baldrick1 wrote:

It might take less than an hour to change the code, but I suspect that the time required for all the checks, balances and testing required to justify and change critical live business software would be a totally different matter.

This would involve a massive change to the database system, associated indexes and supporting programs. Not quick, not cheap.

I do accept @munchingfoo criticism. There should be a prominent simple guide explaining acceptable password makeups...........

Baldrick1 · ‎30-06-2016

@Champnet wrote:

I do accept @munchingfoo criticism. There should be a prominent simple guide explaining acceptable password makeups..........

I agree. I'm not defending the status quo, just pointing out that it's not as quick a fix as may be imagined.

Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'

munchingfoo · Monday

@Champnet @Baldrick1

I think you are looking at this from the wrong end. I am not asking for them to update the broadband authentication system to enable 20 character passwords. That would require a year or more of engineering work. I am asking for them to align the user creation password requirements enforced on the user interface to that of the broadband authentication system, or if the acceptable passwords for the broadband is not an exact subset of the user creation DB then the intersection of both requirements.

The only thing that would be required is to update the password requirements checking script on the user creation and password reset webpage. It's a two second job, with the associated QA checks taking less than an hour.

The underlying user account database could still logically store and process different password requirements without issue, as long as the web front end enforced the more restrictive policy applied by the broadband authentication, or joint subset.