How not to manage password security

This is the place for posts that don't fit into any other category.

Moderator: RichardW

Post Reply
User avatar
xantia_v6
Forum Admin Team
Posts: 9053
Joined: 09 Nov 2005, 22:03
Location: France or NewZealand
Lexia Available: Yes
My Cars: -
1997 Citroen Xantia V6 (France)
1999 Citroen XM V6 ES9 (France)
2011 Peugeot 308 CC THP 155 (NZ)
1975 Jaguar XJ-S pre-HE (NZ)
x 825

How not to manage password security

Post by xantia_v6 »

We are not far from having fibre internet installed in our street, and I needed to check some details on our ISPs web site, somewhere I try not to go as it is an awful site, which seems to have the only purpose of selling phone upgrades. The ISP is a well known global company.

I sat looking at the login screen for a few seconds, and realised that I had no idea what user name or password to use, tried a couple of likely combinations with no success, and then tried password recovery, but that required account number and user name, so didn't help. I then called their support line,and said that I had forgotten my user name and password. They asked for my name and date of birth, nothing else, and said that they did not match.

I then realised that the account was set up by my wife (as it was originally attached to her mobile phone account). I was told that they would need her permission to allow me access to the account. So they called her and got her permission.

Then they called me back and gave me a user name and password pair, which was fine until I realised that they had given me a user name and password that my wife has used on more than one site.

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.

Beware.
User avatar
CitroJim
A very naughty boy
Posts: 49531
Joined: 30 Apr 2005, 23:33
Location: Paggers
My Cars: Bluebell the AX, Polly the C3 Picasso, Pix the Nissan Pixo, Propel the duathlon bike, TCR Pro the road bike and Fuji the TT bike...
x 6160
Contact:

Re: How not to manage password security

Post by CitroJim »

That's not good...

Passwords really have had their day... They are archaic and badly need to be replaced by authentication mechanisms that are better suited to the needs of today...

I don't know what - I'll leave that to those far wiser than me...
Jim

Runner, cyclist, time triallist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
Hell Razor5543
Donor 2023
Posts: 13727
Joined: 01 Apr 2012, 09:47
Location: Reading
My Cars: C5 Mk2 VTX+ estate.
x 2993

Re: How not to manage password security

Post by Hell Razor5543 »

Something like this could be a start;

https://www.ebay.co.uk/itm/Brand-New-HP ... Sw71xZoVfh
James
ex BX 1.9
ex Xantia 2.0HDi SX
ex Xantia 2.0HDi LX
Ex C5 2.0HDi VTR
Ex C5 2.0HDi VTR

C5 2.2HDi VTX+
Yes, I am paranoid, but am I paranoid ENOUGH?
Out amongst the stars, looking for a world of my own!
User avatar
CitroJim
A very naughty boy
Posts: 49531
Joined: 30 Apr 2005, 23:33
Location: Paggers
My Cars: Bluebell the AX, Polly the C3 Picasso, Pix the Nissan Pixo, Propel the duathlon bike, TCR Pro the road bike and Fuji the TT bike...
x 6160
Contact:

Re: How not to manage password security

Post by CitroJim »

Fingerprints may be the answer James but likely they will need some development...

This would be better...

https://en.wikipedia.org/wiki/RSA_SecurID

This is an established and trusted system...
Jim

Runner, cyclist, time triallist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
User avatar
xantia_v6
Forum Admin Team
Posts: 9053
Joined: 09 Nov 2005, 22:03
Location: France or NewZealand
Lexia Available: Yes
My Cars: -
1997 Citroen Xantia V6 (France)
1999 Citroen XM V6 ES9 (France)
2011 Peugeot 308 CC THP 155 (NZ)
1975 Jaguar XJ-S pre-HE (NZ)
x 825

Re: How not to manage password security

Post by xantia_v6 »

It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".
Homer
Posts: 1503
Joined: 26 Feb 2003, 10:52
Location: Yorkshire
My Cars: Current:
Volvo V60 D4 180

Previous:
BX16RS (two of),
BX19TZI,
Xantia 2.0i saloon,
Xantia 2.0 Exclusive CT turbo Break,
Peugeot 807 2.0 HDi 110,
Renault Grand Scenic, 2.0 diesel (150bhp)
C5 X7 2.0 HDi 160 which put me off French cars possibly forever
x 16

Re: How not to manage password security

Post by Homer »

xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.
User avatar
xantia_v6
Forum Admin Team
Posts: 9053
Joined: 09 Nov 2005, 22:03
Location: France or NewZealand
Lexia Available: Yes
My Cars: -
1997 Citroen Xantia V6 (France)
1999 Citroen XM V6 ES9 (France)
2011 Peugeot 308 CC THP 155 (NZ)
1975 Jaguar XJ-S pre-HE (NZ)
x 825

Re: How not to manage password security

Post by xantia_v6 »

Homer wrote: 21 Nov 2017, 08:13
xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.


Which by the way, is how passwords on this site are managed. Not even the site admins can recover them.
MikeT
Posts: 4809
Joined: 11 Jun 2007, 16:17
Location: Christchurch, Dorset. UK
My Cars: 2005 C5restyle 1.6HDI 16v 110hp VTR Estate
2008 C5 X7 1.6HDI VTR+ Saloon
x 231

Re: How not to manage password security

Post by MikeT »

xantia_v6 wrote: 21 Nov 2017, 07:56 It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".


Reminds me, when I moved to my current location I noticed a certain TV provider had fibre inspection covers along our street so I called them to enquire about getting their broadband only to be told they didn't install them on our side and had no plans to do so. I ended up taking a competitors ADSL service and ten years later, we're still paying money for old rope (twisted copper pair) at an unbelievably inflated price, I might add!
User avatar
white exec
Moderating Team
Posts: 7445
Joined: 21 Dec 2015, 12:46
Location: Sayalonga, Malaga, Spain
My Cars: 1996 XM 2.5TD Exclusive hatch RHD
1992 BX19D Millesime hatch LHD
previously 1989 BX19RD, 1998 ZX 1.9D auto, 2001 Xantia 1.8i auto
and lots of Rovers before that: 1935 Ten, 1947 Sixteen, 1960 P5 3-litre, 1966 P6 2000, 1972 P6 2000TC, and 1975 P6B 3500S
x 1752

Re: How not to manage password security

Post by white exec »

Here, in the middle of 'nowhere', 5km inland, in the mountains 460m above sea level, we have broadband - and have had for 11 years. The link is wireless, and most of the campo houses here have it. We're on a modest package that delivers unlimited use, 12Mbits/sec down and 4 up, rock steady, and IPHDTV capable.

Can't understand how UK can struggle with something like this! Thank goodness the electricity National Grid (and the NHS) were created in another and forward-looking era; they wouldn't stand a chance now.
Chris
MikeT
Posts: 4809
Joined: 11 Jun 2007, 16:17
Location: Christchurch, Dorset. UK
My Cars: 2005 C5restyle 1.6HDI 16v 110hp VTR Estate
2008 C5 X7 1.6HDI VTR+ Saloon
x 231

Re: How not to manage password security

Post by MikeT »

I'm having to sit on my hands here rather than reply in full as it's a political/corporate thing.
User avatar
Mandrake
Posts: 8615
Joined: 10 Apr 2005, 17:23
Location: North Lanarkshire, UK
My Cars:
x 664

Re: How not to manage password security

Post by Mandrake »

Homer wrote: 21 Nov 2017, 08:13
xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.

Technically they should be stored using a hash. "Encrypted" implies that the password could be unencrypted with the right key or password, but a hash is a one way function, so even the server admin can't extract the original password.

You feed passwords in and get what looks like gibberish out and store that as the hashed password. When the user tries to log in their password is hashed the same way, if you get the same gibberish you know the password was correct, but you can't go backwards from the gibberish stored at the server to find the password.

In the old days it was just a hash, then it was salted hashes (avoids precomputation attacks where you just calculate the hash for every password you can think of in advance and store the results) and nowadays even a salted hash is considered not very secure as it can be brute forced by custom hardware that can do thousands of has calculations (guesses) in parallel. The hash computation is "too easy" as it is designed to be fast.

Nowadays PBKDF2, bcrypt and scrypt are considered state of the art - they have the same basic properties of a one way hash and are used the same way, but they are very hard (if not impossible) to brute force using custom hardware as they effectively hash repeatedly thousands of times and thus can't be sped up by computing each step in parallel, also they require more memory than custom hardware will offer.

Any time I do a password reset on a website and they email me back my actual password (and it still happens!!! :roll: ) I cringe. That is the worst possible security because they clearly have my password in plain text in their database and have no clue about security... [-X

Not to mention they just sent my password in the clear over unencrypted, interceptable email! #-o
Simon

1997 Xantia S1 3.0 V6 Auto Exclusive in Silex Grey
2016 Nissan Leaf Tekna 30kWh in White

2011 Peugeot Ion Full Electric in Silver
1977 G Special 1129cc LHD
1978 CX 2400
1997 Xantia S1 2.0i Auto VSX
1998 Xantia S2 3.0 V6 Auto Exclusive
User avatar
NewcastleFalcon
Posts: 24563
Joined: 25 Feb 2009, 10:40
Location:
My Cars:
x 6866

Re: How not to manage password security

Post by NewcastleFalcon »

HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.

Doesn't prevent a couple of hours of wasted time simply trying to get through to someone and get access to fill in a self-assessment form on line though.

Was a bit surprised that one of the on-line options offered was to sign in via GOV.UK Verify. Initially seemed more straightforward but this little page didn't sell it to me...quite the opposite, and the phrase "Certified Company", (who are the ones doing the verifying), again has the exact opposite meaning to me of the reassurance the words are intended to convey. :-D
verify.jpg
Regards Neil
Last edited by NewcastleFalcon on 21 Nov 2017, 16:11, edited 1 time in total.
Only One AA Box left
687 Trinity, Jersey
User avatar
CitroJim
A very naughty boy
Posts: 49531
Joined: 30 Apr 2005, 23:33
Location: Paggers
My Cars: Bluebell the AX, Polly the C3 Picasso, Pix the Nissan Pixo, Propel the duathlon bike, TCR Pro the road bike and Fuji the TT bike...
x 6160
Contact:

Re: How not to manage password security

Post by CitroJim »

NewcastleFalcon wrote: 21 Nov 2017, 15:14 HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.


With my speech impediment that might not work well with me :lol: Unless it can cope with a stutter that is ;)

It would be fun to try it out...

I can speak to Alexa with no problem and she can understand me so perhaps it would be OK for me... Sounds intriguing...
Jim

Runner, cyclist, time triallist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
User avatar
daviemck2006
(Donor 2020)
Posts: 4989
Joined: 04 Dec 2010, 18:45
Location: Macduff
My Cars: Far too many good ones to remember. Many BL, Vauxhall, Ford, Renault, Citroen, Peugeot, and now VAG
x 487

Re: How not to manage password security

Post by daviemck2006 »

Alexa doesn’t like my accent, then I get frustrated and swear at her lol
Skoda Karoq 1.6tdi 2018
Citroen relay camper 2012
In the family
Seat Leon 1.5tsi tourer 2019 daughter 1
C1 vtr+ 2010 daughter 2
MikeT
Posts: 4809
Joined: 11 Jun 2007, 16:17
Location: Christchurch, Dorset. UK
My Cars: 2005 C5restyle 1.6HDI 16v 110hp VTR Estate
2008 C5 X7 1.6HDI VTR+ Saloon
x 231

Re: How not to manage password security

Post by MikeT »

Post Reply