[Snap] Snap passwords not encrypted

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Snap passwords not encrypted

timmmay

20578 posts

Uber Geek

Trusted

Lifetime subscriber

#139399 7-Feb-2014 16:43

A helpful Snap helpdesk guy helped me reconfigure my Fritzbox today, as I'd messed it up and had to reset to factory default. The worrying part is he was able to tell me the password I selected when I created my Snap account.

Passwords should really be encrypted or hashed. They could be encrypted in their database and decrypted in software, which is still not super secure but better than nothing. If someone breaks into the Snap systems they could access my account, if I'd reused the password (which I haven't) the repercussions could be significant if someone broke into internet banking. It also makes me wonder what else isn't encrypted - bank account details, credit card details, my personal information etc?

I'd appreciate a comment from Snap please.

1 | 2 | 3

4244 posts

Uber Geek

#981978 7-Feb-2014 16:58

never worried me as all Snap have got is my name and Address and i quite like them setting up voip on my modem so they need the password for that.

Common sense is not as common as you think.

timmmay

20578 posts

Uber Geek

Trusted

Lifetime subscriber

#981982 7-Feb-2014 17:01

My Fritzbox admin password is different from my account password. Snap have my bank account details or credit card details, I think, to bill me.

I'm sure it makes things a lot easier, given most people forget passwords and don't know where to put them if they do. I'm just not sure it's a good idea.

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#981992 7-Feb-2014 17:07

Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Kiwiownage

112 posts

Master Geek

#981996 7-Feb-2014 17:08

Isn't that like data security 101...

All passwords should be encrypted regardless of how "valuable" the information behind the password is

insane

3239 posts

Uber Geek

ID Verified

Trusted

#981999 7-Feb-2014 17:11

wow that's really poor form, there's no excuse for doing that

timmmay

20578 posts

Uber Geek

Trusted

Lifetime subscriber

#982000 7-Feb-2014 17:12

michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.

My Snap connection isn't plugged in, and I've never once logged in. Passwords should never be transmitted, they should be hashed and the hash sent. If they are sent they should be sent over https and never logged.

I'm not a security architect, but I do architect work and work with security architects. These are real basics though.

sidefx

3711 posts

Uber Geek

Trusted

#982005 7-Feb-2014 17:14

michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.

I don't think this is it - I seem to remember my fritzbox arriving complete with a handwritten postit note stuck to it with my signup password on it - IIRC that was before I was even connected.

This has come up before; around the time I first joined snap. A bit disappointing if they're still not securing passwords... granted people shouldn't be reusing passwords on multiple sites but many people do.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

niallm90

123 posts

Master Geek

Trusted

#982008 7-Feb-2014 17:17

timmmay:
michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.

My Snap connection isn't plugged in, and I've never once logged in. Passwords should never be transmitted, they should be hashed and the hash sent. If they are sent they should be sent over https and never logged.

I'm not a security architect, but I do architect work and work with security architects. These are real basics though.

With PPP, the connection method used by most NZ ISPs, passwords are sent in plain text. As Michael said it could be hashed in there database and the Radius / Diameter server is comparing the hash when you login. And so to get your password they could just look at an request coming in.

However if you say you have never logged in then I would be inclined to say they store it in plain text.

Thanks,
Niall

Kiwiownage

112 posts

Master Geek

#982009 7-Feb-2014 17:17

ohhh snap

kornflake

409 posts

Ultimate Geek

#982012 7-Feb-2014 17:30

yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.

Kiwiownage

112 posts

Master Geek

#982023 7-Feb-2014 17:59

kornflake: yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.

I don't think you get it :|

a password is something you and only you should have access 2

edit: or do I not get it? TE HEEEEEE

insane

3239 posts

Uber Geek

ID Verified

Trusted

#982038 7-Feb-2014 18:14

kornflake: yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.

At best it means they will be wide open to social engineering. I'm sure if pressed hard enough they will give out said password to someone presenting enough other details, which are available online. Assuming you're a snap customer we could start with your account ;)

Kiwiownage

112 posts

Master Geek

#982076 7-Feb-2014 20:01

Full name and date of birth.

Facebook >.>

YOUR ACCOUNT IS NOW MINE

NonprayingMantis

6434 posts

Uber Geek

#982078 7-Feb-2014 20:11

Storing passwords in plain txt is very more bad.

http://www.freitasm.com/8221

kornflake

409 posts

Ultimate Geek

#982084 7-Feb-2014 20:22

how many of you work for an isp? u would be surprised, the old telecom wireline was mindblowing at the amount of person data was avilible, if you had the right type of login.

1 | 2 | 3