Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




116 posts

Master Geek
+1 received by user: 12


Topic # 223624 9-Oct-2017 11:51
Send private message

Something I've been meaning to ask for a while.

 

We all have a login and password for our broadband connection. Now I thought that password would be fully encrypted and invisible to the ISP team, but it seems it is not. They can see the password and will even ask for the password as confirmation of who I am.

 

Is this normal? Not particularly happy with it, but in all other aspects the ISP is great.


Create new topic
4240 posts

Uber Geek
+1 received by user: 2425

Trusted
Lifetime subscriber

  Reply # 1879818 9-Oct-2017 11:55
6 people support this post
Send private message

Most ISP are port based authentication anyway so does not matter what username and password are

Linux

3840 posts

Uber Geek
+1 received by user: 1555

Subscriber

  Reply # 1879859 9-Oct-2017 12:59
3 people support this post
Send private message

Majority are doing port based authentication for PPP and just falling back to user/pass if that doesn't work for some reason.

 

We still allocate a username/pass, the password gets stored in an encrytped database but can be "unhidden" if required by a support tech. The password doesn't get used for anything else though so really just don't see the issue. I would only start to worry if the PPP password was the same one used for getting in to billing portals and things where credit cards are stored (but then again, the CC number shouldn't be stored in plain text anyway so maybe another moot point?)


 
 
 
 


I fix stuff!
1734 posts

Uber Geek
+1 received by user: 414

Trusted
Vocus
Subscriber

  Reply # 1879860 9-Oct-2017 13:00
One person supports this post
Send private message

Also depends on the ISP, don't tar them all with the same brush


'That VDSL Cat'
9690 posts

Uber Geek
+1 received by user: 2247

Trusted
Spark
Subscriber

  Reply # 1879867 9-Oct-2017 13:06
Send private message

Spark don't hold customers passwords.

 

for email, the customer set the password through their selfservice tools.

 

 

 

For Internet, Port based auth is used. As such the BGN will accept any password and/or username as long as it is not blank and does not have any strange Unicode characters.

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




116 posts

Master Geek
+1 received by user: 12


  Reply # 1879870 9-Oct-2017 13:11
Send private message

Thanks Linux - I had to look that one up :-)

 

@Chevrolux alludes to the issue that seemed to be of concern to me.

 

There are few things here.

 

1. Modem connection. I've always been BYO modems so don't know if that makes a difference as I assume any modem supplied by the ISP would have the line details included. Mine have always connected as per the ISP instructions using a username and pw - I've been with the same ISP for over 6 years.

 

2. Web account login. This uses the same login details as the modem, so with those details anyone can login and see name, address, phone numbers, payment details etc. Now, I assume it would be normal practice for the ISP staff would be able see these details, but these would be secure details (hopefully) on their servers. I am surprised they have access to the password as well. It is that aspect that I'm wondering if it is standard practice or if my ISP is an exception.

 

3. Can't think of any reason that staff should be able to access a password. It is an easy get out of jail card if people forget their pw, but not really acceptable these days IMHO. Nice to see that at least Spark (thanks @hio77) seem to agree on that one.


'That VDSL Cat'
9690 posts

Uber Geek
+1 received by user: 2247

Trusted
Spark
Subscriber

  Reply # 1879874 9-Oct-2017 13:22
Send private message

MartinGZ:

 

 

 

2. Web account login. This uses the same login details as the modem, so with those details anyone can login and see name, address, phone numbers, payment details etc. Now, I assume it would be normal practice for the ISP staff would be able see these details, but these would be secure details (hopefully) on their servers. I am surprised they have access to the password as well. It is that aspect that I'm wondering if it is standard practice or if my ISP is an exception.

 

 

Missed commenting on this one.

 

 

 

MySpark passwords are not held iver, once again self service completely for customers to manage their passwords.

 

 

 

The idea of using authentication based identification these days is just an unneeded overhead.

 

There are also many abusable flaws to this that used to get hit back in the day on those who previously did authentication (since moved to port)

 

 

 

Port auth isn't foolproof, chorus can do maintenances and leave the customer's connection in limbo on a new port till records are updated on both sides although 95% of the time RSP's have a "special" profile in this case that still allows service, sometimes at a lower limit.

 

most RPS's have teams that manage these sorts of things or go as far as to have it completely self provisioned (automation)





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


14665 posts

Uber Geek
+1 received by user: 1969


  Reply # 1879938 9-Oct-2017 14:48
One person supports this post
Send private message

Considering how many people use the same password for multiple things (which people shouldn't do, but it happens), that is a concern. Especially with all the systems that get hacked these days. Another big hack today see in NZ.


2601 posts

Uber Geek
+1 received by user: 1100

Trusted
Lifetime subscriber

  Reply # 1879995 9-Oct-2017 17:35
Send private message

hio77:

 

Spark don't hold customers passwords.

 

for email, the customer set the password through their selfservice tools.

 

For Internet, Port based auth is used. As such the BNG will accept any password and/or username as long as it is not blank and does not have any strange Unicode characters.

 

 

The only reason why the username is used in Spark is for debugging purposes such as if you are mis-provisioned by Chorus or another LFC then the agent can ask you to change the username to "findmeplease" and then they can search in the authentication logs and find you.

 

And the username can be upper,lowers, numbers, @ and "." and pretty much anything else will cause the request to be rejected.






'That VDSL Cat'
9690 posts

Uber Geek
+1 received by user: 2247

Trusted
Spark
Subscriber

  Reply # 1879996 9-Oct-2017 17:40
Send private message

BarTender:

 

 

 

The only reason why the username is used in Spark is for debugging purposes such as if you are mis-provisioned by Chorus or another LFC then the agent can ask you to change the username to "findmeplease" and then they can search in the authentication logs and find you.

 

And the username can be upper,lowers, numbers, @ and "." and pretty much anything else will cause the request to be rejected.

 

 

Yep exactly.

 

 

 

Was refering to those who somehow manage to Copy and paste extra junk in...

 

Such as &#8206;user@spark.co.nz

 

 

 

That's rejected, pretty reasonably however the character is actually relatively invisible.  





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user


  Reply # 1880030 9-Oct-2017 19:08
Send private message

chevrolux:

 

Majority are doing port based authentication for PPP and just falling back to user/pass if that doesn't work for some reason.

 

We still allocate a username/pass, the password gets stored in an encrytped database but can be "unhidden" if required by a support tech. The password doesn't get used for anything else though so really just don't see the issue. I would only start to worry if the PPP password was the same one used for getting in to billing portals and things where credit cards are stored (but then again, the CC number shouldn't be stored in plain text anyway so maybe another moot point?)

 

 

 

 

Systems engineers trying to come up with a satisfactory way to explain this.

 

 

 


Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon introduces new Kindle with adjustable front light
Posted 21-Mar-2019 20:14


A call from the companies providing internet access for the great majority of New Zealanders, to the companies with the greatest influence over social media content
Posted 19-Mar-2019 15:21


Two e-scooter companies selected for Wellington trial
Posted 15-Mar-2019 17:33


GeForce GTX 1660 available now
Posted 15-Mar-2019 08:47


Artificial Intelligence to double the rate of innovation in New Zealand by 2021
Posted 13-Mar-2019 14:47


LG demonstrates smart home concepts at LG InnoFest
Posted 13-Mar-2019 14:45


New Zealanders buying more expensive smartphones
Posted 11-Mar-2019 09:52


2degrees Offers Amazon Prime Video to Broadband Customers
Posted 8-Mar-2019 14:10


D-Link ANZ launches D-Fend AC2600 Wi-Fi Router Protected by McAfee
Posted 7-Mar-2019 11:09


Slingshot commissions celebrities to design new modems
Posted 5-Mar-2019 08:58


Symantec Annual Threat Report reveals more ambitious, destructive and stealthy attacks
Posted 28-Feb-2019 10:14


FUJIFILM launches high performing X-T30
Posted 28-Feb-2019 09:40


Netflix is killing content piracy says research
Posted 28-Feb-2019 09:33


Trend Micro finds shifting threats require kiwis to rethink security priorities
Posted 28-Feb-2019 09:27


Mainfreight uses Spark IoT Asset Tracking service
Posted 28-Feb-2019 09:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.