cancel
Showing results for 
Search instead for 
Did you mean: 

Unintended consequences

plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Unintended consequences

About a week ago I had to perform a password reset while away from my usual desk and computer (for reasons that are irrelevant here). All went OK and life went on. The following morning, back home, I duly amended my note of the Plusnet web site password accordingly and checked my access to the site and this forum.

This morning, no Internet access. Fifteen minutes later, Plusnet support advised me that my PPP access password was incorrect. After a moment or two, the penny dropped but I was hugely surprised that what I (erroneously) thought was a password change that only applied to Plus's web/mail logins etc. also applied to my PPP login -- something so deeply buried (and rarely touched) within my router/modem system that I had completely forgotten about it.

I now see that the e-mail generated to enable the password reset did contain the words

...Resetting your password will also change the password for your other Plusnet services such as

  • Your broadband connection password...

but that advice too, was rather deeply buried within what appeared, prima facie, to be a routine password reset e-mail message.

So, given that nearly a week separated the password reset and consequent failure of Internet access, I suggest that this consequence of a password reset be given more prominence in the note sent to subscribers following a password reset.

Perhaps a first sentence along the lines of

The change you have just made will affect your Internet connection

would be useful and appropriate to prevent what might be construed as unnecessary telephone support time.

And, if possible, a warning when logging on to the website, that the related PPP password is out of sync and should be urgently changed, would be very handy.

Plaudits, telephone support, for a quick and easy diagnosis.

14 REPLIES 14
HarryB
Plusnet Help Team
Plusnet Help Team
Posts: 5,199
Thanks: 1,454
Fixes: 256
Registered: ‎25-03-2015

Re: Unintended consequences

@plutox wrote:

The change you have just made will affect your Internet connection

If customers are using automatic hardware setup and our router, it shouldn't have any effect on the broadband connection as it will be updated through the auto hardware setup.

 

However I'm happy to pass your feedback on.

If this post resolved your issue please click the 'This fixed my problem' button
 Harry Beesley
 Plusnet
ScottStorey
Pro
Posts: 410
Thanks: 130
Fixes: 1
Registered: ‎21-02-2013

Re: Unintended consequences

When you are changing your password it already tells you on a separate page, so it isn't hidden amongst anything else, that doing so will alter your router password.
plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences

The above is all true when one is using a Plusnet-supplied router, which I am not. Likewise, I had to perform a password reset (i.e. the procedure for a forgotten password) as opposed to a more-organized routine password change.

It is obviously a compromise whether one accepts the convenience and loss of security of allowing an ISP remote control of its client's modems. Perhaps I am paranoid, but, for me, this is a security lapse too far.

But perhaps it's a good time to ask: why, when providing a service to a fixed line at a known location, is it necessary to add the complication of any kind of authentication at all? The telephone system has worked for 100+ years without any real need for authentication - why does the addition of DSL change this?

chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Unintended consequences

are you seriously asking why user authentication is required?
plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences

On a fixed, hard-wired telephone line, yes. I have had ADSL services that did not require any kind of authentication.

As I said, the telephone service has never required authentication in over a hundred years and spread over five continents. While, in some circumstances, it is possible to bridge-tap another's line and make use of such for voice services, the legitimate user would quickly be reporting faults if a felon attempted such tactics on a DSL line.

chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Unintended consequences

the ADSL service would have required authentication. it may just have been hard coded into the modem or router (similar to how sky routers are configured).
Browni
Aspiring Hero
Posts: 2,673
Thanks: 1,036
Fixes: 60
Registered: ‎02-03-2016

Re: Unintended consequences

I used to be a Sky broadband user when they bought O2 and the username/password was the same for everybody that came from O2 LLU, it's hardly authentication!

There was no authentication with O2 LLU, I think IPOE was the connection method IIRC

plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences


@chenks76 wrote:
the ADSL service would have required authentication. it may just have been hard coded into the modem or router (similar to how sky routers are configured).

I was with BEthere before they went south and used a generic Netgear modem - no authentication required. In fact, BEthere were quite progressive insofar as they were truly happy for punters to use their own modems. Quite unlike Sky which did implement a truly awkward and deliberately tricky authentication scheme.

chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Unintended consequences

sky let you use any router for the ADSL connections.
it's only FTTC were they say you need to use their router, however there is no system in place that physically stops you from using your own router (and the required user/pass is reasonably easy to acquire from their supplied router).

plusnet, of course, let you use whatever you want.
plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences

So let's get back to my question. Precisely what purpose is served by requiring authentication on a xDSL system that is hard-wired to a permanent address i.e. using much the same wiring method that has been used for phones, without authentication, for a hundred years?

chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Unintended consequences

don't recall ADSL being used for a hundred years.
unless the telephone number of the line is transmitted at the time of connection then how else would the ISP know it's you that is connected, and thus bill you accordingly for useage etc.

can you offer a reason why user authentication shouldn't be there other than it has apparently caused you to get your knickers in a twist due to you not understanding the consequences of your actions?
plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences

@chenks76 wrote:
don't recall ADSL being used for a hundred years.

You do yourself no credit with sarcasm.

 


@chenks76 wrote:
unless the telephone number of the line is transmitted at the time of connection then how else would the ISP know it's you that is connected, and thus bill you accordingly for useage etc.

For a fixed-line installation, the mechanics of authenticating an xDSL line are little different from authenticating for the purpose of billing telephone calls. Because a given line is hard-wired to a particular subscriber at a known address, what purpose is served by further authentication? Even if data consumption is sold per megabyte, the ISP knows, at any one time, the amount of data served to a given subscriber at the end of a particular phone line. Throughout the history of telecomms, one thing that suppliers traditionally developed exceedingly well is the billing system Wink

In many respects, the need for authentication on a fixed-line phone/DSL installation is not far removed from the idea of ‘authenticating’ your gas or electricity supply.

OK, it is possible to bridge-tap a telephone line somewhat more easily than it is to ‘bridge-tap’ your neighbours' gas supply, but whereas doing so on a voice only line could be quite an effective way of nicking someone else's phone service, such a technique is unlikely to work well enough to be worthwhile when xDSL is involved – creating a bridge-tap will almost certainly play such havoc with the legitimate user's service that the engineers would be out like a shot and discover the felony.

Despite the relative ease of stealing usage from a neighbour's voice line it is interesting to note that, for the most part, Telecom suppliers worldwide have hardly felt the need to authenticate the users of fixed-line installations for the past hundred years.

While my parallel between fixed-line phone supply and electricity supply is not supposed to be taken too literally, the only functional difference from the billing perspective is that the latter places the metering in or near the subscribers' premises while the former meters within the Telcom's private property and is, in that respect, rather more secure. So why bother with authentication?

Lurch
Rising Star
Posts: 81
Thanks: 19
Registered: ‎24-06-2016

Re: Unintended consequences

Regardless of the mechanics of the line and the authentication requirements in general I find it rather strange having the PPP password the same as the control panel password. I spent a morning trying to find the PPP password on a new connection only to find that it was the account password.

Probably not a problem for most connections with a Plusnet supplied pre-configured router but I was at a clients premises waiting for them to give me their PPP details. In the end they had to reveal to me their Plusnet account password, which they should never reveal to anyone, and this password is now viewable from the control panel of the router used.

So from a security practice PoV this is terrible, if a customer complained about having details compromised and told this story I would say it all sounds like a scam and I am not surprised you have been compromised. I would also say that if it was one of my own customers I would say if you have given your password to some random person (OK, they are in the customers employ I suppose but still) then they are at fault for whatever happens from that point forwards.

So in short, I don't see why the PPP password needs to match the account. I have never ever seen this with any provider (after setting up hundreds of connections with many tens of ISPs).

plutox
Grafter
Posts: 29
Thanks: 1
Registered: ‎13-10-2014

Re: Unintended consequences


Lurch wrote:...from a security practice PoV this is terrible,

Indeed. I'm also concerned about the possibility of this password being hacked directly out of the router/modem; recent history supports the argument that the security of such devices is, typically, not what it ought to be.