Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




14869 posts

Uber Geek
+1 received by user: 2790

Trusted
Subscriber

# 139399 7-Feb-2014 16:43
One person supports this post
Send private message

A helpful Snap helpdesk guy helped me reconfigure my Fritzbox today, as I'd messed it up and had to reset to factory default. The worrying part is he was able to tell me the password I selected when I created my Snap account.

Passwords should really be encrypted or hashed. They could be encrypted in their database and decrypted in software, which is still not super secure but better than nothing. If someone breaks into the Snap systems they could access my account, if I'd reused the password (which I haven't) the repercussions could be significant if someone broke into internet banking. It also makes me wonder what else isn't encrypted - bank account details, credit card details, my personal information etc?

I'd appreciate a comment from Snap please.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
2863 posts

Uber Geek
+1 received by user: 772


  # 981978 7-Feb-2014 16:58
Send private message

never worried me as all Snap have got is my name and Address and i quite like them setting up voip on my modem so they need the password for that.




Common sense is not as common as you think.




14869 posts

Uber Geek
+1 received by user: 2790

Trusted
Subscriber

  # 981982 7-Feb-2014 17:01
Send private message

My Fritzbox admin password is different from my account password. Snap have my bank account details or credit card details, I think, to bill me.

I'm sure it makes things a lot easier, given most people forget passwords and don't know where to put them if they do. I'm just not sure it's a good idea.

 
 
 
 


Mr Snotty
8721 posts

Uber Geek
+1 received by user: 4605

Moderator
Trusted
Lifetime subscriber

  # 981992 7-Feb-2014 17:07
Send private message

Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.




112 posts

Master Geek
+1 received by user: 5


  # 981996 7-Feb-2014 17:08
Send private message

Isn't that like data security 101...

All passwords should be encrypted regardless of how "valuable" the information behind the password is

2354 posts

Uber Geek
+1 received by user: 413

Trusted
Subscriber

  # 981999 7-Feb-2014 17:11
Send private message

wow that's really poor form, there's no excuse for doing that



14869 posts

Uber Geek
+1 received by user: 2790

Trusted
Subscriber

  # 982000 7-Feb-2014 17:12
Send private message

michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.


My Snap connection isn't plugged in, and I've never once logged in. Passwords should never be transmitted, they should be hashed and the hash sent. If they are sent they should be sent over https and never logged.

I'm not a security architect, but I do architect work and work with security architects. These are real basics though.

3284 posts

Uber Geek
+1 received by user: 985

Trusted

  # 982005 7-Feb-2014 17:14
Send private message

michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.


I don't think this is it - I seem to remember my fritzbox arriving complete with a handwritten postit note stuck to it with my signup password on it - IIRC that was before I was even connected.

This has come up before; around the time I first joined snap.  A bit disappointing if they're still not securing passwords...  granted people shouldn't be reusing passwords on multiple sites but many people do.

 
 
 
 


77 posts

Master Geek
+1 received by user: 19

Trusted

  # 982008 7-Feb-2014 17:17
One person supports this post
Send private message

timmmay:
michaelmurfy: Could well be they can see authentication attempts to their Radius server and based on that be able to determine your password. Doesn't necessary mean your password is not encrypted.


My Snap connection isn't plugged in, and I've never once logged in. Passwords should never be transmitted, they should be hashed and the hash sent. If they are sent they should be sent over https and never logged.

I'm not a security architect, but I do architect work and work with security architects. These are real basics though.


With PPP, the connection method used by most NZ ISPs, passwords are sent in plain text. As Michael said it could be hashed in there database and the Radius / Diameter server is comparing the hash when you login. And so to get your password they could just look at an request coming in.

However if you say you have never logged in then I would be inclined to say they store it in plain text.

Thanks,
Niall

112 posts

Master Geek
+1 received by user: 5


  # 982009 7-Feb-2014 17:17
One person supports this post
Send private message

ohhh snap


397 posts

Ultimate Geek
+1 received by user: 51


  # 982012 7-Feb-2014 17:30
Send private message

yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.

112 posts

Master Geek
+1 received by user: 5


  # 982023 7-Feb-2014 17:59
Send private message

kornflake: yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.


I don't think you get it :|

a password is something you and only you should have access 2

edit: or do I not get it? TE HEEEEEE

2354 posts

Uber Geek
+1 received by user: 413

Trusted
Subscriber

  # 982038 7-Feb-2014 18:14
Send private message

kornflake: yr password is most likely to be visible to any snap employee, that has access to their database/crm suite. Don't worry they won't give it out to anyone other than you, if someone in snap was doing something doggy, they won't be using your account, it would be way more hidden in their system than that.


At best it means they will be wide open to social engineering. I'm sure if pressed hard enough they will give out said password to someone presenting enough other details, which are available online. Assuming you're a snap customer we could start with your account ;)





112 posts

Master Geek
+1 received by user: 5


  # 982076 7-Feb-2014 20:01
Send private message

Full name and date of birth.

Facebook >.>

YOUR ACCOUNT IS NOW MINE

6434 posts

Uber Geek
+1 received by user: 1571


  # 982078 7-Feb-2014 20:11
Send private message

Storing passwords in plain txt is very more bad.

http://www.freitasm.com/8221


397 posts

Ultimate Geek
+1 received by user: 51


  # 982084 7-Feb-2014 20:22
Send private message

how many of you work for an isp? u would be surprised, the old telecom wireline was mindblowing at the amount of person data was avilible, if you had the right type of login.

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18


E-scooter share scheme launches in Wellington
Posted 17-Jun-2019 12:34


Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.