Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne New Zealand (including Vodafone, WxC, Farmside)Plaintext password storage

aw

aw

282 posts

Ultimate Geek


#81301 11-Apr-2011 13:16
Send private message

I had a client who recently called up Vodafone over a billing query she had with them, and while getting it sorted, apparently she was asked what her password was. She couldn't remember and instead a new one was set (without any instructions to update the ADSL modem, which led to another helpdesk call when she lost internet only to be told her modem needed replacing, but that's another issue!).

This client is non-technical and doesn't clearly remember the course of the conversation or how the password was asked for. I'm not sure if the CSR was able to see it or not as the client told me the conversation went something like "no, that's not it ... no not that either" but she tells me the CSR did try to give a couple of clues to jog her memory.

This got me curious...

Do Vodafone, or for that matter ISPs in general, store their users' passwords in cleartext and can helpdesk and accounts CSRs see these passwords?

If so, this seems pretty lax. Is it true?

Create new topic
magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #457490 11-Apr-2011 13:44
Send private message

As far as I know, they ask for a PIN for the account. Although it is perfectly plausible that they store the passwords in plain-text for recovery purposes.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

 
 
 
 

Shop now for Lenovo laptops and other devices (affiliate link).
reven
3734 posts

Uber Geek

Trusted

  #457493 11-Apr-2011 13:54
Send private message

at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.

magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #457495 11-Apr-2011 14:01
Send private message

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.


That's what I meant, of course. 




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



jaymz
1133 posts

Uber Geek


  #457514 11-Apr-2011 14:35
Send private message

I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them. 

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457525 11-Apr-2011 14:54
Send private message

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.


LOL. "would be encrypted". based on what?

there have been a few high profile hacks recently where usernames/passwords have been extracted from system where everything was plain text...

i agree, they "should" be encrypted - but assuming "would" is a bit of a leap.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457528 11-Apr-2011 14:58
Send private message

jaymz: I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them. 

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.




i think that telecom shipped the original jetstream adsl nokia modems with this capability.  there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though.  serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

jaymz
1133 posts

Uber Geek


  #457544 11-Apr-2011 15:29
Send private message

Regs:

i think that telecom shipped the original jetstream adsl nokia modems with this capability.  there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though.  serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center


Fair call,  I guess the cheaper modems that they supply don't have the ability to secure the connections with certificates.

I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option.  essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)



Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457601 11-Apr-2011 20:01
Send private message

jaymz: I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option.  essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)


i had though that orcon was offering this in their homehub, but i cant see anything on their website.

here is an article about the BT HomeHub and the massive security hole in its remote assistance feature.  some 2,000,000 routers became vulnerable to full take over from remote hackers:
http://www.theregister.co.uk/2007/10/22/home_hub_vuln_plugged/

you can easily see how this could turn into a costly legal and PR nightmare.  the safest option is probably just not offering such a service for consumers.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Jaxar
383 posts

Ultimate Geek


  #457903 12-Apr-2011 16:06
Send private message

VF CSR's cannot see a customers broadband password on the account in plain text. There are naturally password retrieval methods. I suspect that is where the "no that's not it either" statement originated from.


Nobody should be giving out password hints and under normal circumstances this should not even be possible. I can imagine a scenario where a customer might make a guess that there password is xyz123 and a CSR might ask could the password be abc123.




Please note: I have a professional bias towards Vodafone.

Create new topic





News and reviews »

Cricut Maker 4 Review
Posted 12-May-2025 15:18

Dynabook Launches Ultra-Light Portégé Z40L-N Copilot+PC with Self-Replaceable Battery
Posted 8-May-2025 14:08

Shopify Sidekick Gets a Major Reasoning Upgrade, Plus Free Image Generation
Posted 8-May-2025 14:03

Microsoft Introduces New Surface Copilot+ PCs
Posted 8-May-2025 13:56

D-Link A/NZ launches DWR-933M 4G+ LTE Cat6 Wi-Fi 6 Mobile Hotspot
Posted 8-May-2025 13:49

Synology Expands DiskStation Lineup with DS1825+ and DS1525+
Posted 8-May-2025 13:44

JBL Releases Next Generation Flip 7 and Charge 6
Posted 8-May-2025 13:41

Arlo Unveils All-New PoE Adapter With Enhanced Connectivity
Posted 8-May-2025 13:36

Fujifilm Instax Mini 41 Review
Posted 2-May-2025 10:12

Synology DS925+ Review
Posted 23-Apr-2025 15:00

Synology Announces DiskStation DS925+ and DX525 Expansion Unit
Posted 23-Apr-2025 10:34

JBL Tour Pro 3 Review
Posted 22-Apr-2025 16:56

Samsung 9100 Pro NVMe SSD Review
Posted 11-Apr-2025 13:11

Motorola Announces New Mid-tier Phones moto g05 and g15
Posted 4-Apr-2025 00:00

SoftMaker Releases Free PDF editor FreePDF 2025
Posted 3-Apr-2025 15:26








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright