Plusnet Password Security Vulnerability

sdhuk · ‎13-08-2022

I was just asked by customer services to give two digits of my password, which means that it must be stored as (or retrievable as) plain text.

There is no excuse these days for not salting / hashing passwords.

The falls well short of the Information Comissioners Office Guidance on storing passwords now that GPDR is in force:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...

Townman · ‎22-08-2007

Must it? You sure about that?

It is not impossible for specific two letter combinations to be stored as a hash in isolation from a hash of the whole password.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

sdhuk · ‎13-08-2022

That's true, I hadn't considered that possibility. Is that what Plusnet claim to do?

It seems like an odd way of doing things though when there are lots of other security questions that could be asked.

Townman · ‎22-08-2007

I do not know what Plusnet does (or does not do) - this issue has been raised before and there have been assurances that full password decryption does not happen.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.