If you’re a customer of British broadband provider Plusnet, I would recommend you read today’s story in The Register.
In a nutshell, we all hope that the companies we deal with online are handling our passwords in a safe, secure way.
Best practice – as defined by no less an authority than the UK government – stipulates that passwords should never be stored as plain text, and a one-way cryptographic hash should be created (after a salt is added) to ensure that a hacker who manages to gain access to a password database can’t uncover passwords.
(If you don’t understand what salting and hashing is all about when it comes to passwords, watch this video.)
Because simply encrypting a password before storing it in a database isn’t enough.
However, Plusnet doesn’t appear to be following best practice when it comes to passwords. Put simply, any website which can tell you what your password is isn’t acting responsibly.
What’s more Plusnet has been warned about the problem before:
Oh my lord @plusnet, WTF ARE YOU DOING?!?! (cc @troyhunt) #infosec pic.twitter.com/ebGpLGf5iz
— Mark Hemmings (@mhemmings) June 17, 2014
And some Plusnet users have reported that the company’s support staff have confirmed that they can read customers’ passwords:
https://twitter.com/shoutsatcows/status/590101911581417472/photo/1
That sounds pretty disastrous to me. Just imagine, for instance, how many people use the same password for multiple online accounts – if one rogue employee from Plusnet can see your Plusnet password, they might be tempted to see if it would work against your other online accounts too…
I found it hard to believe that in the wake of recent data breaches, Plusnet would be so sloppy with its security. So I dropped their PR team a note asking for confirmation about whether their staff could read customers’ passwords, and whether passwords were being properly salted and hashed.
Here is what they told me (or rather cut-and-pasted for me):
“Plusnet goes to great lengths to ensure we protect and secure our customer data. Passwords are encrypted in our database. We do not show customers their passwords in an email in plain text and anyone who has forgotten their password must go through a combination of security mechanisms to regain access.”
When I pointed out to them that they hadn’t actually answered my questions (“Can Plusnet staff see my password?” and “Is Plusnet employing salted password hashing?”) their reply was curt:
“We’ve issued the statement and will not be answering any additional queries.”
Which I think tells you everything you need to know…
It would be great to think that the recent hack of rival broadband provider TalkTalk, which saw its CEO making uncomfortable apologies on national TV broadcasts, would make Plusnet do some serious self-examination and ask itself what it might be doing wrong, and how it might make itself more secure.
If there is a potential issue, own up to it and fix it. You’re not doing your customers any favours by hiding it under the carpet.
They almost certainly can!
I've recently signed up for service online and needed to create an account+password as part of service registration, in the next few days they sent me my PPPoE authentication details (on paper by post) which uses their own username but MY password which was used in the online account creation.
I was curious as to how on earth they'd sent me my password in clear-text by post but I didn't cotton on at the time, you've just confirmed my suspicions though…
Another TalkTalk fiasco waiting to happen.
The sheer stupidity of the company is infuriating. One wonders what their security guys are doing, whether they just get shouted down whenever they raise this issue to an arrogant board which ought to start practicing their Dido Harding style contrition for the inevitable post-breach interviews.
I have been a satisfied Plusnet customer for years, but this leaves a really bad taste in the mouth. I just logged on and changed my password and the system claimed that my router would get updated automatically. Well, it didn't – presumably because I'm not using Plusnet hardware – but it raises the further question of what mechanism they are using to fire my (presumably plaintext) new password at my router.
Sigh.
Plus net also don't support any kind of secure access to their email systems: no SSL/TLS, no secure login – plain text passwords only. Every few years I bug them about it and they say they have no plans to change it. This password, accessible to anyone at a wifi hotspot used by a plus net customer, is your plus net login from which every feature of your service is controlled (including DNS if you're crazy enough to let plus net host it for you). Their service works well for me but I don't use their email or hosting.
Oldtimers will remember that their email system was hacked a few years back; the resulting tide of spam was the original reason I stopped using their email service, but I wouldn't touch it with a bargepole now.
Beggars belief.
Bare in mind that CHAP authentication (which is REQUIRED by BT who provide their ADSL infrastructure) means they MUST have an password which can be converted into plain text.
Why they don't have this password separate to their website logins is a different question though…
I also wonder about these banks and credit card companies that ask you to pick three characters from the nth position of your password. I can't see how they are using a non reversible hash if they can check this….. I'm looking at you One Account, First Direct and Barclaycard….. I have personally had them do this check over the phone too.
I was just thinking of moving to Plusnet. A bit of a rethink on that one I think!
I have however just joined Three. They don't display your password anywhere but the login name is just your mobile phone number. This is obviously very easy for anyone to acquire especially if it is a business number so the only thing keeping a hacker out of your account is your password. This being the case, it needs to be a strong one and definitely not one you have used elsewhere.
Unless I missed it (I don't think so), surely there should be an option to change this to a unique personal login name or to add two factor authentication? Not as numbingly stupid as the PlusNet issues described here but seems less than ideal.
I am also staggered by the number of companies who still think it is OK to send new account login details, both username and password and sometimes full account numbers in the same plain text email. Also some who should know better (including at least one major UK high street bank and one major pension provider) think it is OK to send private financial documents in plain text emails. My attempts to tell them that this was not a good idea were met with complete indifference and assurances along the lines of "I am sure it must be secure because we are a really big company and know what we are doing". It is strange therefore that one of these companies has been the subject of several very costly and embarrassing IT outages over the last few years.
I will always say that you can throw all the money and technology in the world at information security but it only takes one idiot in an organisation for it to all come tumbling down.To me the lack of basic information security skills and awareness in so many companies large and small, is one of the biggest risks of all that we face in keeping our information safe. I think sometimes we just hand it to the crooks on a silver service plate!