Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne New Zealand (including Vodafone, WxC, Farmside)Plaintext password storage

aw

aw

278 posts

Ultimate Geek


#81301 11-Apr-2011 13:16
Send private message

I had a client who recently called up Vodafone over a billing query she had with them, and while getting it sorted, apparently she was asked what her password was. She couldn't remember and instead a new one was set (without any instructions to update the ADSL modem, which led to another helpdesk call when she lost internet only to be told her modem needed replacing, but that's another issue!).

This client is non-technical and doesn't clearly remember the course of the conversation or how the password was asked for. I'm not sure if the CSR was able to see it or not as the client told me the conversation went something like "no, that's not it ... no not that either" but she tells me the CSR did try to give a couple of clues to jog her memory.

This got me curious...

Do Vodafone, or for that matter ISPs in general, store their users' passwords in cleartext and can helpdesk and accounts CSRs see these passwords?

If so, this seems pretty lax. Is it true?

Create new topic
magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #457490 11-Apr-2011 13:44
Send private message

As far as I know, they ask for a PIN for the account. Although it is perfectly plausible that they store the passwords in plain-text for recovery purposes.




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

 
 
 
 

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).
reven
3645 posts

Uber Geek

Trusted

  #457493 11-Apr-2011 13:54
Send private message

at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.

magu
Professional yak shaver
1599 posts

Uber Geek

Trusted
BitSignal
Lifetime subscriber

  #457495 11-Apr-2011 14:01
Send private message

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.


That's what I meant, of course. 




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



jaymz
1132 posts

Uber Geek


  #457514 11-Apr-2011 14:35
Send private message

I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them. 

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457525 11-Apr-2011 14:54
Send private message

reven: at the very least they would be encrypted and they would just have the ability to decrypt them.

they won't be stored in clear text.


LOL. "would be encrypted". based on what?

there have been a few high profile hacks recently where usernames/passwords have been extracted from system where everything was plain text...

i agree, they "should" be encrypted - but assuming "would" is a bit of a leap.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457528 11-Apr-2011 14:58
Send private message

jaymz: I have always wondered why ISP's don't implment remote access to the routers themselves?

This would be a perfect case of where it would work perfectly.

Their modems that they supply the customer come pre-configured, so why not add the option of remote support to them. 

Of course this wouldnt work for people who know how to get into the modems and change settings, however for those who don't, the helpdesk support dude can connect in after confirming that the user has the original modem.

They already have the IP address of the device, so they can log in and change the password on the device for the user for them.




i think that telecom shipped the original jetstream adsl nokia modems with this capability.  there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though.  serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

jaymz
1132 posts

Uber Geek


  #457544 11-Apr-2011 15:29
Send private message

Regs:

i think that telecom shipped the original jetstream adsl nokia modems with this capability.  there was a seperate vlan for management.

you certainly wouldnt want to have remote access to the modems on the public WAN though.  serious security hole there.

the problem with having remote access to consumer modems though, is that you would:
(1) be accused of big brother
(2) be potentially held responsible for any security breaches
(3) be expected to fix any problem remotely, which incurs extra cost and probably requires more technical expertise at the call center


Fair call,  I guess the cheaper modems that they supply don't have the ability to secure the connections with certificates.

I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option.  essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)



Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #457601 11-Apr-2011 20:01
Send private message

jaymz: I suppose one way they could get around it would be to sell the plans with a "Managed Routers" option.  essentially stop user access to the management of the router and only allow the ISP access (like telecom's one office)


i had though that orcon was offering this in their homehub, but i cant see anything on their website.

here is an article about the BT HomeHub and the massive security hole in its remote assistance feature.  some 2,000,000 routers became vulnerable to full take over from remote hackers:
http://www.theregister.co.uk/2007/10/22/home_hub_vuln_plugged/

you can easily see how this could turn into a costly legal and PR nightmare.  the safest option is probably just not offering such a service for consumers.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Jaxar
383 posts

Ultimate Geek


  #457903 12-Apr-2011 16:06
Send private message

VF CSR's cannot see a customers broadband password on the account in plain text. There are naturally password retrieval methods. I suspect that is where the "no that's not it either" statement originated from.


Nobody should be giving out password hints and under normal circumstances this should not even be possible. I can imagine a scenario where a customer might make a guess that there password is xyz123 and a CSR might ask could the password be abc123.




Please note: I have a professional bias towards Vodafone.

Create new topic





News and reviews »

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18

Amazon Introduces All-New Echo Pop in New Zealand
Posted 23-Oct-2023 19:49

HyperX Unveils Their First Webcam and Audio Mixer Plus
Posted 20-Oct-2023 11:47

Seagate Introduces Exos 24TB Hard Drives for Hyperscalers and Enterprise Data Centres
Posted 20-Oct-2023 11:43

Dyson Zone Noise-Cancelling Headphones Comes to New Zealand
Posted 20-Oct-2023 11:33








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.