Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




96 posts

Master Geek
+1 received by user: 9


Topic # 144208 11-May-2014 14:39
Send private message

Had a query with Vodafone over my on account discount for my broadband, sent them a screenshot from the My Vodafone page showing my account.

They send back an email with Steps on how to login to the My Vodafone Portal(!!) and my username and PASSWORD IN CLEAR TEXT!!

Do you want to be like Yahoo/Xtra and compromise peoples accounts?? Because this is a good way to do it... 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5133 posts

Uber Geek
+1 received by user: 1439

Trusted

  Reply # 1041723 11-May-2014 14:51
Send private message

Was this a CSR personally sending you details or the system?





2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1041724 11-May-2014 14:53
Send private message

Yep, vodafone store all that in plaintext :|


 
 
 
 




96 posts

Master Geek
+1 received by user: 9


  Reply # 1041726 11-May-2014 14:56
Send private message

Yep from a specific CSR, I have emailed them back and made it clear that I don't want them to ever send me my user name and password  . . .

4320 posts

Uber Geek
+1 received by user: 802

Trusted

  Reply # 1041727 11-May-2014 14:59
Send private message

kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.





13114 posts

Uber Geek
+1 received by user: 1535


  Reply # 1041728 11-May-2014 14:59
2 people support this post
Send private message

How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.

5133 posts

Uber Geek
+1 received by user: 1439

Trusted

  Reply # 1041729 11-May-2014 15:00
Send private message

nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...





5133 posts

Uber Geek
+1 received by user: 1439

Trusted

  Reply # 1041734 11-May-2014 15:05
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Given PPP, Email and my account passwords are the same for the 1 username there isnt really any practical way to do anything different. Would be good if it was revised. I think you should be more worried about your POP email client. 99% more likely for that password to be stolen than one in an email.





797 posts

Ultimate Geek
+1 received by user: 533

Trusted

  Reply # 1041738 11-May-2014 15:22
Send private message

I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink

BDFL - Memuneh
58759 posts

Uber Geek
+1 received by user: 10156

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1041748 11-May-2014 16:01
12 people support this post
Send private message

mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 





2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1041750 11-May-2014 16:02
Send private message

Andib: I have had my password txt to me automatically from another major ISP in the past, emailing it is no difference.   The best thing I can suggest doing is changing your password to when you receive it in an email / txt to something that is unique so IF something were to happen, your other accounts wouldn't be compromised.

But of course that is standard password security that everyone should be doing right wink


Standard password security should be that passwords are stored hashed (with a strong password hash algorithm like s/bcrypt) and that you get emailed a one time token to reset your password.
Of course, in the ISP world of radius/ppoe/a, that's not really applicable.. but DSL/ppo* auth should be handled differently from web based ones.


5133 posts

Uber Geek
+1 received by user: 1439

Trusted

  Reply # 1041756 11-May-2014 16:13
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



This would be the most ideal process. As mentioned before with the PPP username share the same password with email and my account due to them not being seporated. The easiest approach without expecting every customer to update their email and PPP would be to provide it in plain text. I think a process improvement is needed as we are in 2014 not 2003.

*Further more.
We are moving away from PPPOA. VDSL, UFB are port based. Hopefully we might get a new system in place for ADSL to use the same port based auth. Save a lot of time for CSR's that have customers with incorrect passwords and will make pathways for security updates.





370 posts

Ultimate Geek
+1 received by user: 122


  Reply # 1042762 13-May-2014 08:40
Send private message

freitasm:
mattwnz: How do you want them to send you your password though?. Many of these automated systems email the password when you have forgotten it. The thing you need to do is change it immediately. It is probably no different to telling you the password over the phone, as someone could also be listening i on your call, or someone could be overhearing it.


Nope, what they (and everyone else) should be doing is sending a RESET link so YOU can create a new password. THEY don't need to know the password - only you.

THEY in this context is any company. Anyone storing passwords in plain text, transmitting passwords over email are asking for trouble.

And no, it's not a "stab Vodafone" thread. Every company should know better than this. 



Any tech savvy person would agree with this. From my experience I believe the customer complaints however would be significant. I have a hard time imagining any ISP wanting to lead this charge until general public opinion and education says this type of security as a benefit to them instead of an inconvenience imposed on them.




Please note: I have a professional bias towards Vodafone.

4320 posts

Uber Geek
+1 received by user: 802

Trusted

  Reply # 1042790 13-May-2014 09:17
2 people support this post
Send private message

TimA:
nakedmolerat:
kyhwana2: Yep, vodafone store all that in plaintext :|



WOW! This is unacceptable to me.


I would be surprised if any NZ ISP encrypted their passwords or had 2FA. Another lets stab Vodafone thread...


I have no interest in stabbing vodafone. Zilch. None.

No one should know my password except me.





180 posts

Master Geek
+1 received by user: 18


  Reply # 1045163 14-May-2014 22:17
Send private message

But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?

2739 posts

Uber Geek
+1 received by user: 1407

Subscriber

  Reply # 1045300 15-May-2014 08:33
Send private message

Salami: But then if an ISP e-mails you a link to reset the password that person can create any password behind your back so I don't think it matters whether they send you an e-mail thru plaintext with your password or a link to reset your password?
I don't mind either way really.
If an ISP send me a password thru to my mobile then my friend can obviously read my text messages or my girlfriend.

 So... there's no safer way either all...?


If someone compromises your email or mobile (or both) then your screwed either way.

However for them to be able to send you a plaintext password means they are storing it in plaintext, or an easily reversible format at their end. As kyhwana2 noted above, ideally it should be stored as a well salted hash using a decent algorithm.

If/when a hacker compromises an organisation, would you like them to have your password stored in plaintext, or in a format that will take them years to crack? We're saying it should be the latter.




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chow brothers plan to invest NZ$100 million in technology
Posted 24-Sep-2017 16:24


Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33


FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53


Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51


Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39


If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54


Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07


OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56


Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48


Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37


Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45


Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40


Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27


NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16


Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.