Plaintext password storage

Forums › One New Zealand (including Vodafone, WxC, Farmside) › Plaintext password storage

aw

286 posts

Ultimate Geek

#81301 11-Apr-2011 13:16

I had a client who recently called up Vodafone over a billing query she had with them, and while getting it sorted, apparently she was asked what her password was. She couldn't remember and instead a new one was set (without any instructions to update the ADSL modem, which led to another helpdesk call when she lost internet only to be told her modem needed replacing, but that's another issue!).

This client is non-technical and doesn't clearly remember the course of the conversation or how the password was asked for. I'm not sure if the CSR was able to see it or not as the client told me the conversation went something like "no, that's not it ... no not that either" but she tells me the CSR did try to give a couple of clues to jog her memory.

This got me curious...

Do Vodafone, or for that matter ISPs in general, store their users' passwords in cleartext and can helpdesk and accounts CSRs see these passwords?

If so, this seems pretty lax. Is it true?

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#457490 11-Apr-2011 13:44

As far as I know, they ask for a PIN for the account. Although it is perfectly plausible that they store the passwords in plain-text for recovery purposes.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

reven

3743 posts

Uber Geek

Trusted

#457493 11-Apr-2011 13:54

at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#457495 11-Apr-2011 14:01

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.

That's what I meant, of course.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

jaymz

1133 posts

Uber Geek

#457514 11-Apr-2011 14:35

I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them.

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#457525 11-Apr-2011 14:54

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.

LOL. "would be encrypted". based on what?

there have been a few high profile hacks recently where usernames/passwords have been extracted from system where everything was plain text...

i agree, they "should" be encrypted - but assuming "would" is a bit of a leap.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#457528 11-Apr-2011 14:58

jaymz: I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them.

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.

i think that telecom shipped the original jetstream adsl nokia modems with this capability. there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though. serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

jaymz

1133 posts

Uber Geek

#457544 11-Apr-2011 15:29

Regs:

i think that telecom shipped the original jetstream adsl nokia modems with this capability. there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though. serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center

Fair call, I guess the cheaper modems that they supply don't have the ability to secure the connections with certificates.

I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option. essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#457601 11-Apr-2011 20:01

jaymz: I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option. essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)

i had though that orcon was offering this in their homehub, but i cant see anything on their website.

here is an article about the BT HomeHub and the massive security hole in its remote assistance feature. some 2,000,000 routers became vulnerable to full take over from remote hackers:
http://www.theregister.co.uk/2007/10/22/home_hub_vuln_plugged/

you can easily see how this could turn into a costly legal and PR nightmare. the safest option is probably just not offering such a service for consumers.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Jaxar

383 posts

Ultimate Geek

#457903 12-Apr-2011 16:06

VF CSR's cannot see a customers broadband password on the account in plain text. There are naturally password retrieval methods. I suspect that is where the "no that's not it either" statement originated from.

Nobody should be giving out password hints and under normal circumstances this should not even be possible. I can imagine a scenario where a customer might make a guess that there password is xyz123 and a CSR might ask could the password be abc123.

Please note: I have a professional bias towards Vodafone.