Secure Password Storage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Re: Secure Password Storage
Secure Password Storage
27-12-2017 11:55 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've just spoken to a very friendly person in customer services (great on that front) who asked for two characters of my password. I was a little taken aback since what company does that in 2017?
Does anyone know how they verify these characters? Presumably they're not held in plaintext since with GDPR coming up they'd be getting a rather hefty fine very soon. I've found one third party blog post which suggests how you could create a secure partial password verification process here, but with another human doing the verifying over an unsecure phone line there's an obvious flaw to the implementation.
Re: Secure Password Storage
27-12-2017 12:23 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
My energy provider asks for verification info over the phone, at least one other ISP I know does. I do not know, so could be wrong here and I know PN won't confirm or deny (for obvious reasons), but I would imagine the advisor is only presented with the characters they ask you to provide, and not the full data.
Re: Secure Password Storage
27-12-2017 2:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I would expect PN to verify my identity, but I don't expect them to ask me to compromise my online account password in the process. Most companies are happy to confirm that they store all passwords as a salted hash, as should be standard, so if PN decline to comment we can only assume the worst case scenario.
I don't have so much of a problem with customer services seeing part of the password (although this is an issue), but if the data is stored in either plain text or with a reversible encryption method then any data breach would result in more information being exposed than necessary.
Re: Secure Password Storage
27-12-2017 11:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It's either encrypted and reversable or just plain text.
Re: Secure Password Storage
28-12-2017 12:43 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
So everyone is fine with this? Are levels of apathy regarding our personal information really this high?
Re: Secure Password Storage
28-12-2017 12:57 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The only way I can see it is:
- The passwords are encrypted with something like MD5 - which can be reversed engineered.
- Plain text. I'm not being sarcastic but I had an on-line company about 10 years ago had their plain password table hacked and then we were told to change our passwords. Worse case scenario.
- The 2 letters are stored in a separate table or field linking to the primary key of the password table. A way I would implement it is to have a trigger to update those fields when the main password field (from the other table) would change. Before encryption has been performed. Produce the two letters then encrypt the whole password into main password table. Then any letter check would have to come from those two fields not the encrypted password table. If you decide to change password via the Portal, then the update coming from there would update the letter check field.
It could be even better than that, when a new password trigger is activated, get the length of the new one and select two random chararacters and update the checksum database.
Can't really have more than two though I guess or you can argue it has your whole uncryted password.
Re: Secure Password Storage
28-12-2017 7:33 AM - edited 28-12-2017 7:34 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@FreneticMonk wrote:
Or they use the solution I linked to in my OP, but that seems likely not to be the case. I never suggested it was hashed, only that it is best practice.
So everyone is fine with this? Are levels of apathy regarding our personal information really this high?
I'm happy - so far as I'm aware, PN have only had their password storage hacked once - before I became a member - and at that time, I am given to understand, had some really bright people on board, so I'm guessing there was some effective action taken.
Just think yourself lucky you're not with TalkTalk, they leak like a colander.
Re: Secure Password Storage
28-12-2017 8:47 AM - edited 28-12-2017 8:53 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
password storage wasn't hacked - it was webmail a long time ago https://community.plus.net/t5/Plusnet-Blogs/Webmail-Incident-Report/ba-p/1313738
this post answers the original question https://community.plus.net/t5/Plusnet-Feedback/Plusnet-password-visible-to-call-centre-staff/m-p/101...
Re: Secure Password Storage
28-12-2017 9:00 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks for the correction, @Oldjim - as I said, it was before my time here, and Iwasn't aware of the full details. So it wasn't anything really worrying.
Re: Secure Password Storage
28-12-2017 9:39 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
jab1 wrote:Just think yourself lucky you're not with TalkTalk, they leak like a colander.
I know @jab1, it is always concerning (to PlusNet I mean) whether PlusNet will be subject to an attack, being quite a high profile place.
I've worked for companies who you wouldn't know of, who were worried about the same thing.
You still get high profile companies hacked. Happened before, and will happen again.
P.S. On a lighter note, this thread does remind of the Harry Enfield sketch "You don't want to to it like that, you want to do it like this!".
Let be honest, how many people on here have bumped into people like that. I mean staff and non-staff too.
Re: Secure Password Storage
30-12-2017 6:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
MD5 is not an encryption algorithm, it's a hash function.
This issue has been raised a few times before.
The problem probably originates from using the same password to access your account on the Plusnet website and for the PPP connection the router makes. Both ends of the PPP connection need to know the plaintext of the password.
So before you start considering better ways to store the password, you need to have different passwords for the account and for the PPP connection.
Re: Secure Password Storage
04-05-2018 10:53 AM - edited 04-05-2018 11:02 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer. The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised
1- Of course I immediately changed my password.
2- I asked plusnet "When will you be encrypting the passwords ?"
answer : "April the 17th 2018"
3- On the 19th of April I called back and asked if the passwords were enrypted or not. After the getting past the inevitable irrelevance of "we can only see 2 characters". The answer was "don't know", then on further investigation I was told that they had implemented the encryption of all account passwords on April the 17th 2018.
This does verify what I was told a month before. Therefore my guess is they have encrypted passwords, although clearly they can be reversed engineered, as they still ask for the 2 characters.
4- I changed my password once more.
If your password has not been changed since the 17th of April 2018 then in theory you are still vulnerable. Since no one of course knows if your password was read and captured before the 17th.
So if you are going to play it safe and change the plusnet password then be sure to also change on any email client that may be using the account password by default. And if you have a non-plusnet router you will need to change the plus net account password there also (not to be confused with the router password)
So on a day where twitter have done the right thing still there is no mention or even a hint of plus net customers being recommended to change their passwords. I have asked plus net this twice and they appear to have no plans to inform their customers. Looks like plus net are doing the "Hope Approach".
Re: Secure Password Storage
04-05-2018 11:04 AM - edited 04-05-2018 11:05 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The best course of action in my opinion is to use a separate password for each account you have. With so many on-line accounts requiring passwords it can be a nightmare I know.
You have no control (not just talking about PlusNet - any company) on how they store it and how secure their platform is.
So if your PlusNet password were to be hacked, that is it. Only any use there and not elsewhere.
I keep an Excel sheet of my passwords for each company I use.
Re: Secure Password Storage
04-05-2018 12:03 PM - edited 04-05-2018 12:05 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
you'd be better using a encrypted password safe program
an Excel spreadsheet is hardly secure
plus a password safe/encryption program is very good indeed at generating strong passwords
in addition they are easier to use as such programs have functions that help with the process in ways that excel cannot
Re: Secure Password Storage
04-05-2018 12:25 PM - edited 04-05-2018 12:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@malky3200 wrote:
I called plusnet on this issue back in mid March 2018 (not for the first time)
I did get an answer. The answer was IMHO the worst case namely the password in the DB is stored as cleartext.
If you google "GCHQ plusnet password" or simply read this register article you will see why I was not surprised
I'm sorry that you were misinformed by one of our agents, whilst we generally for security purposes won't comment on our security methods I'm happy to debunk this myth. I'll be really clear but won't for reasons previously stated comment further.
We go to great lengths to ensure we protect and secure our customer data. Passwords are, and always have been, encrypted in our database.
We take the protection of our customers’ data extremely seriously and have a number of robust and resilient measures in place, which we constantly test and review
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page