Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




102 posts

Master Geek


# 144208 11-May-2014 14:39
Send private message

Had a query with Vodafone over my on account discount for my broadband, sent them a screenshot from the My Vodafone page showing my account.

They send back an email with Steps on how to login to the My Vodafone Portal(!!) and my username and PASSWORD IN CLEAR TEXT!!

Do you want to be like Yahoo/Xtra and compromise peoples accounts?? Because this is a good way to do it... 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
6615 posts

Uber Geek
Inactive user


  # 1041723 11-May-2014 14:51
Send private message

Was this a CSR personally sending you details or the system?

2460 posts

Uber Geek


  # 1041724 11-May-2014 14:53
Send private message

Yep, vodafone store all that in plaintext :|


 
 
 
 




102 posts

Master Geek


  # 1041726 11-May-2014 14:56
Send private message

Yep from a specific CSR, I have emailed them back and made it clear that I don't want them to ever send me my user name and password  . . .

4552 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1041727 11-May-2014 14:59
Send private message

kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.





15350 posts

Uber Geek


  # 1041728 11-May-2014 14:59
2 people support this post
Send private message

How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.

6615 posts

Uber Geek
Inactive user


  # 1041729 11-May-2014 15:00
Send private message

nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...

6615 posts

Uber Geek
Inactive user


  # 1041734 11-May-2014 15:05
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Given PPP, Email and my account passwords are the same for the 1 username there isnt really any practical way to do anything different. Would be good if it was revised. I think you should be more worried about your POP email client. 99% more likely for that password to be stolen than one in an email.

 
 
 
 


1028 posts

Uber Geek

Trusted

  # 1041738 11-May-2014 15:22
Send private message

I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink

BDFL - Memuneh
65362 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1041748 11-May-2014 16:01
12 people support this post
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 





2460 posts

Uber Geek


  # 1041750 11-May-2014 16:02
Send private message

Andib: I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink


Standard password security should be that passwords are stored hashed (with a strong password hash algorithm like s/bcrypt) and that you get emailed a one time token to reset your password.
Of course, in the ISP world of radius/ppoe/a, that's not really applicable.. but DSL/ppo* auth should be handled differently from web based ones.


6615 posts

Uber Geek
Inactive user


  # 1041756 11-May-2014 16:13
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



This would be the most ideal process. As mentioned before with the PPP username share the same password with email and my account due to them not being seporated. The easiest approach without expecting every customer to update their email and PPP would be to provide it in plain text. I think a process improvement is needed as we are in 2014 not 2003.

*Further more.
We are moving away from PPPOA. VDSL, UFB are port based. Hopefully we might get a new system in place for ADSL to use the same port based auth. Save a lot of time for CSR's that have customers with incorrect passwords and will make pathways for security updates.

383 posts

Ultimate Geek


  # 1042762 13-May-2014 08:40
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



Any tech savvy person would agree with this. From my experience I believe the customer complaints however would be significant. I have a hard time imagining any ISP wanting to lead this charge until general public opinion and education says this type of security as a benefit to them instead of an inconvenience imposed on them.




Please note: I have a professional bias towards Vodafone.

4552 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1042790 13-May-2014 09:17
2 people support this post
Send private message

TimA:
nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...


I have no interest in stabbing vodafone. Zilch. None.

No one should know my password except me.





225 posts

Master Geek


  # 1045163 14-May-2014 22:17
Send private message

But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?

3947 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1045300 15-May-2014 08:33
Send private message

Salami: But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?


If someone compromises your email or mobile (or both) then your screwed either way.

However for them to be able to send you a plaintext password means they are storing it in plaintext, or an easily reversible format at their end. As kyhwana2 noted above, ideally it should be stored as a well salted hash using a decent algorithm.

If/when a hacker compromises an organisation, would you like them to have your password stored in plaintext, or in a format that will take them years to crack? We're saying it should be the latter.




Information wants to be free. The Net interprets censorship as damage and routes around it.


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Switch your broadband provider now - compare prices


Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.