Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




98 posts

Master Geek
+1 received by user: 9


Topic # 144208 11-May-2014 14:39
Send private message

Had a query with Vodafone over my on account discount for my broadband, sent them a screenshot from the My Vodafone page showing my account.

They send back an email with Steps on how to login to the My Vodafone Portal(!!) and my username and PASSWORD IN CLEAR TEXT!!

Do you want to be like Yahoo/Xtra and compromise peoples accounts?? Because this is a good way to do it... 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5444 posts

Uber Geek
+1 received by user: 1545

Trusted

  Reply # 1041723 11-May-2014 14:51
Send private message

Was this a CSR personally sending you details or the system?

2390 posts

Uber Geek
+1 received by user: 107


  Reply # 1041724 11-May-2014 14:53
Send private message

Yep, vodafone store all that in plaintext :|


 
 
 
 




98 posts

Master Geek
+1 received by user: 9


  Reply # 1041726 11-May-2014 14:56
Send private message

Yep from a specific CSR, I have emailed them back and made it clear that I don't want them to ever send me my user name and password  . . .

4354 posts

Uber Geek
+1 received by user: 813

Trusted
Lifetime subscriber

  Reply # 1041727 11-May-2014 14:59
Send private message

kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.





13445 posts

Uber Geek
+1 received by user: 1616


  Reply # 1041728 11-May-2014 14:59
2 people support this post
Send private message

How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.

5444 posts

Uber Geek
+1 received by user: 1545

Trusted

  Reply # 1041729 11-May-2014 15:00
Send private message

nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...

5444 posts

Uber Geek
+1 received by user: 1545

Trusted

  Reply # 1041734 11-May-2014 15:05
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Given PPP, Email and my account passwords are the same for the 1 username there isnt really any practical way to do anything different. Would be good if it was revised. I think you should be more worried about your POP email client. 99% more likely for that password to be stolen than one in an email.

824 posts

Ultimate Geek
+1 received by user: 543

Trusted

  Reply # 1041738 11-May-2014 15:22
Send private message

I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink

BDFL - Memuneh
59392 posts

Uber Geek
+1 received by user: 10605

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1041748 11-May-2014 16:01
12 people support this post
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 





2390 posts

Uber Geek
+1 received by user: 107


  Reply # 1041750 11-May-2014 16:02
Send private message

Andib: I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink


Standard password security should be that passwords are stored hashed (with a strong password hash algorithm like s/bcrypt) and that you get emailed a one time token to reset your password.
Of course, in the ISP world of radius/ppoe/a, that's not really applicable.. but DSL/ppo* auth should be handled differently from web based ones.


5444 posts

Uber Geek
+1 received by user: 1545

Trusted

  Reply # 1041756 11-May-2014 16:13
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



This would be the most ideal process. As mentioned before with the PPP username share the same password with email and my account due to them not being seporated. The easiest approach without expecting every customer to update their email and PPP would be to provide it in plain text. I think a process improvement is needed as we are in 2014 not 2003.

*Further more.
We are moving away from PPPOA. VDSL, UFB are port based. Hopefully we might get a new system in place for ADSL to use the same port based auth. Save a lot of time for CSR's that have customers with incorrect passwords and will make pathways for security updates.

372 posts

Ultimate Geek
+1 received by user: 124


  Reply # 1042762 13-May-2014 08:40
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



Any tech savvy person would agree with this. From my experience I believe the customer complaints however would be significant. I have a hard time imagining any ISP wanting to lead this charge until general public opinion and education says this type of security as a benefit to them instead of an inconvenience imposed on them.




Please note: I have a professional bias towards Vodafone.

4354 posts

Uber Geek
+1 received by user: 813

Trusted
Lifetime subscriber

  Reply # 1042790 13-May-2014 09:17
2 people support this post
Send private message

TimA:
nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...


I have no interest in stabbing vodafone. Zilch. None.

No one should know my password except me.





183 posts

Master Geek
+1 received by user: 18


  Reply # 1045163 14-May-2014 22:17
Send private message

But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?

2882 posts

Uber Geek
+1 received by user: 1503

Subscriber

  Reply # 1045300 15-May-2014 08:33
Send private message

Salami: But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?


If someone compromises your email or mobile (or both) then your screwed either way.

However for them to be able to send you a plaintext password means they are storing it in plaintext, or an easily reversible format at their end. As kyhwana2 noted above, ideally it should be stored as a well salted hash using a decent algorithm.

If/when a hacker compromises an organisation, would you like them to have your password stored in plaintext, or in a format that will take them years to crack? We're saying it should be the latter.




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.