Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


99 posts

Master Geek
+1 received by user: 9


Topic # 144208 11-May-2014 14:39
Send private message

Had a query with Vodafone over my on account discount for my broadband, sent them a screenshot from the My Vodafone page showing my account.

They send back an email with Steps on how to login to the My Vodafone Portal(!!) and my username and PASSWORD IN CLEAR TEXT!!

Do you want to be like Yahoo/Xtra and compromise peoples accounts?? Because this is a good way to do it... 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5791 posts

Uber Geek
+1 received by user: 1727

Trusted

  Reply # 1041723 11-May-2014 14:51
Send private message

Was this a CSR personally sending you details or the system?




Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


2435 posts

Uber Geek
+1 received by user: 144


  Reply # 1041724 11-May-2014 14:53
Send private message

Yep, vodafone store all that in plaintext :|




99 posts

Master Geek
+1 received by user: 9


  Reply # 1041726 11-May-2014 14:56
Send private message

Yep from a specific CSR, I have emailed them back and made it clear that I don't want them to ever send me my user name and password  . . .

4407 posts

Uber Geek
+1 received by user: 826

Trusted
Lifetime subscriber

  Reply # 1041727 11-May-2014 14:59
Send private message

kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.





14097 posts

Uber Geek
+1 received by user: 1788


  Reply # 1041728 11-May-2014 14:59
2 people support this post
Send private message

How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.

5791 posts

Uber Geek
+1 received by user: 1727

Trusted

  Reply # 1041729 11-May-2014 15:00
Send private message

nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...




Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


5791 posts

Uber Geek
+1 received by user: 1727

Trusted

  Reply # 1041734 11-May-2014 15:05
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Given PPP, Email and my account passwords are the same for the 1 username there isnt really any practical way to do anything different. Would be good if it was revised. I think you should be more worried about your POP email client. 99% more likely for that password to be stolen than one in an email.




Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


884 posts

Ultimate Geek
+1 received by user: 575

Trusted

  Reply # 1041738 11-May-2014 15:22
Send private message

I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink

BDFL - Memuneh
60788 posts

Uber Geek
+1 received by user: 11667

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1041748 11-May-2014 16:01
12 people support this post
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 





2435 posts

Uber Geek
+1 received by user: 144


  Reply # 1041750 11-May-2014 16:02
Send private message

Andib: I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink


Standard password security should be that passwords are stored hashed (with a strong password hash algorithm like s/bcrypt) and that you get emailed a one time token to reset your password.
Of course, in the ISP world of radius/ppoe/a, that's not really applicable.. but DSL/ppo* auth should be handled differently from web based ones.


5791 posts

Uber Geek
+1 received by user: 1727

Trusted

  Reply # 1041756 11-May-2014 16:13
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



This would be the most ideal process. As mentioned before with the PPP username share the same password with email and my account due to them not being seporated. The easiest approach without expecting every customer to update their email and PPP would be to provide it in plain text. I think a process improvement is needed as we are in 2014 not 2003.

*Further more.
We are moving away from PPPOA. VDSL, UFB are port based. Hopefully we might get a new system in place for ADSL to use the same port based auth. Save a lot of time for CSR's that have customers with incorrect passwords and will make pathways for security updates.




Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


379 posts

Ultimate Geek
+1 received by user: 129


  Reply # 1042762 13-May-2014 08:40
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



Any tech savvy person would agree with this. From my experience I believe the customer complaints however would be significant. I have a hard time imagining any ISP wanting to lead this charge until general public opinion and education says this type of security as a benefit to them instead of an inconvenience imposed on them.




Please note: I have a professional bias towards Vodafone.

4407 posts

Uber Geek
+1 received by user: 826

Trusted
Lifetime subscriber

  Reply # 1042790 13-May-2014 09:17
2 people support this post
Send private message

TimA:
nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...


I have no interest in stabbing vodafone. Zilch. None.

No one should know my password except me.





189 posts

Master Geek
+1 received by user: 19


  Reply # 1045163 14-May-2014 22:17
Send private message

But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?

3199 posts

Uber Geek
+1 received by user: 1727

Lifetime subscriber

  Reply # 1045300 15-May-2014 08:33
Send private message

Salami: But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?


If someone compromises your email or mobile (or both) then your screwed either way.

However for them to be able to send you a plaintext password means they are storing it in plaintext, or an easily reversible format at their end. As kyhwana2 noted above, ideally it should be stored as a well salted hash using a decent algorithm.

If/when a hacker compromises an organisation, would you like them to have your password stored in plaintext, or in a format that will take them years to crack? We're saying it should be the latter.




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.