cancel
Showing results for 
Search instead for 
Did you mean: 

Unencrypted passwords!

benoh
Grafter
Posts: 272
Thanks: 1
Registered: ‎24-08-2007

Unencrypted passwords!

So, why I was on the forum I thought I'd see if was still getting any referals, but had forgotten my password.
Click the link, and it shows you your password! WTF!
Why are you storing customer passwords in plaintext!
Ben
4 REPLIES 4
Chris
Legend
Posts: 17,724
Thanks: 597
Fixes: 169
Registered: ‎05-04-2007

Re: Unencrypted passwords!

As far as I'm aware the passwords are *not* stored in plain text, they are encrypted and the link you are sent via email will show you the unencrypted password when clicked.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
benoh
Grafter
Posts: 272
Thanks: 1
Registered: ‎24-08-2007

Re: Unencrypted passwords!

Quote from: Chris
As far as I'm aware the passwords are *not* stored in plain text, they are encrypted and the link you are sent via email will show you the unencrypted password when clicked.

Which would mean the encryption key is available to the webapp, so may aswell not be encrypted.  Anyone who gets access to the web servers can decrypt all the passwords anyways.
Certainly not best practice, it should be one way encrypted and a forgotten password link should allow a new password to be set.
Ben
Chris
Legend
Posts: 17,724
Thanks: 597
Fixes: 169
Registered: ‎05-04-2007

Re: Unencrypted passwords!

Hi Ben,
The one way encryption is something we have thought about and looked into, but due to the way that passwords sync across mail, webspace, adsl etc it's a very very very large piece of work as every password reset would then have the likelihood of a call into the support centre.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 965
Fixes: 10
Registered: ‎10-04-2007

Re: Unencrypted passwords!

A significant problem is that the same password is used for the portal and for the login in your router. Reset the portal password with a forgotten password link and if they try a reconnect without resetting the password in the router and they will not be able to connect.
However there is an even worse problem than that. Resetting the portal password will also reset the password on their default mailbox. This means they won't be able to collect the email to find out what the new password is!
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)