cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Password Security Vulnerability

sdhuk
Dabbler
Posts: 24
Thanks: 4
Registered: ‎13-08-2022

Plusnet Password Security Vulnerability

I was just asked by customer services to give two digits of my password, which means that it must be stored as (or retrievable as) plain text.

 

There is no excuse these days for not salting / hashing passwords.

 

The falls well short of the Information Comissioners Office Guidance on storing passwords now that GPDR is in force:

 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...

Tags (1)
3 REPLIES 3
Townman
Superuser
Superuser
Posts: 23,751
Thanks: 10,033
Fixes: 171
Registered: ‎22-08-2007

Re: Plusnet Password Security Vulnerability

Must it? You sure about that?

It is not impossible for specific two letter combinations to be stored as a hash in isolation from a hash of the whole password.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

sdhuk
Dabbler
Posts: 24
Thanks: 4
Registered: ‎13-08-2022

Re: Plusnet Password Security Vulnerability

That's true, I hadn't considered that possibility. Is that what Plusnet claim to do?

 

It seems like an odd way of doing things though when there are lots of other security questions that could be asked.

Townman
Superuser
Superuser
Posts: 23,751
Thanks: 10,033
Fixes: 171
Registered: ‎22-08-2007

Re: Plusnet Password Security Vulnerability

I do not know what Plusnet does (or does not do) - this issue has been raised before and there have been assurances that full password decryption does not happen.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.