How not to manage password security

This is the place for posts that don't fit into any other category.
User avatar
xantia_v6
Forum Admin Team
Posts: 9524
Joined: 09 Nov 2005, 22:03
x 926

How not to manage password security

Unread post by xantia_v6 »

We are not far from having fibre internet installed in our street, and I needed to check some details on our ISPs web site, somewhere I try not to go as it is an awful site, which seems to have the only purpose of selling phone upgrades. The ISP is a well known global company.

I sat looking at the login screen for a few seconds, and realised that I had no idea what user name or password to use, tried a couple of likely combinations with no success, and then tried password recovery, but that required account number and user name, so didn't help. I then called their support line,and said that I had forgotten my user name and password. They asked for my name and date of birth, nothing else, and said that they did not match.

I then realised that the account was set up by my wife (as it was originally attached to her mobile phone account). I was told that they would need her permission to allow me access to the account. So they called her and got her permission.

Then they called me back and gave me a user name and password pair, which was fine until I realised that they had given me a user name and password that my wife has used on more than one site.

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.

Beware.
User avatar
CitroJim
A very naughty boy
Posts: 51338
Joined: 30 Apr 2005, 23:33
x 6776

Re: How not to manage password security

Unread post by CitroJim »

That's not good...

Passwords really have had their day... They are archaic and badly need to be replaced by authentication mechanisms that are better suited to the needs of today...

I don't know what - I'll leave that to those far wiser than me...
Jim

Runner, cyclist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
Hell Razor5543
Donor 2023
Posts: 13892
Joined: 01 Apr 2012, 09:47
x 3078

Re: How not to manage password security

Unread post by Hell Razor5543 »

Something like this could be a start;

https://www.ebay.co.uk/itm/Brand-New-HP ... Sw71xZoVfh
James
ex BX 1.9
ex Xantia 2.0HDi SX
ex Xantia 2.0HDi LX
ex C5 2.0HDi VTR
ex C5 2.0HDi VTR
ex C5 2.2HDi VTX+

Yes, I am paranoid, but am I paranoid ENOUGH?
Out amongst the stars, looking for a world of my own!
User avatar
CitroJim
A very naughty boy
Posts: 51338
Joined: 30 Apr 2005, 23:33
x 6776

Re: How not to manage password security

Unread post by CitroJim »

Fingerprints may be the answer James but likely they will need some development...

This would be better...

https://en.wikipedia.org/wiki/RSA_SecurID

This is an established and trusted system...
Jim

Runner, cyclist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
User avatar
xantia_v6
Forum Admin Team
Posts: 9524
Joined: 09 Nov 2005, 22:03
x 926

Re: How not to manage password security

Unread post by xantia_v6 »

It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".
Homer
Posts: 1503
Joined: 26 Feb 2003, 10:52
x 16

Re: How not to manage password security

Unread post by Homer »

xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.
User avatar
xantia_v6
Forum Admin Team
Posts: 9524
Joined: 09 Nov 2005, 22:03
x 926

Re: How not to manage password security

Unread post by xantia_v6 »

Homer wrote: 21 Nov 2017, 08:13
xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.


Which by the way, is how passwords on this site are managed. Not even the site admins can recover them.
MikeT
Posts: 4808
Joined: 11 Jun 2007, 16:17
x 233

Re: How not to manage password security

Unread post by MikeT »

xantia_v6 wrote: 21 Nov 2017, 07:56 It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".


Reminds me, when I moved to my current location I noticed a certain TV provider had fibre inspection covers along our street so I called them to enquire about getting their broadband only to be told they didn't install them on our side and had no plans to do so. I ended up taking a competitors ADSL service and ten years later, we're still paying money for old rope (twisted copper pair) at an unbelievably inflated price, I might add!
User avatar
white exec
Posts: 7445
Joined: 21 Dec 2015, 12:46
x 1754

Re: How not to manage password security

Unread post by white exec »

Here, in the middle of 'nowhere', 5km inland, in the mountains 460m above sea level, we have broadband - and have had for 11 years. The link is wireless, and most of the campo houses here have it. We're on a modest package that delivers unlimited use, 12Mbits/sec down and 4 up, rock steady, and IPHDTV capable.

Can't understand how UK can struggle with something like this! Thank goodness the electricity National Grid (and the NHS) were created in another and forward-looking era; they wouldn't stand a chance now.
Chris
MikeT
Posts: 4808
Joined: 11 Jun 2007, 16:17
x 233

Re: How not to manage password security

Unread post by MikeT »

I'm having to sit on my hands here rather than reply in full as it's a political/corporate thing.
User avatar
Mandrake
Posts: 8691
Joined: 10 Apr 2005, 17:23
x 690

Re: How not to manage password security

Unread post by Mandrake »

Homer wrote: 21 Nov 2017, 08:13
xantia_v6 wrote: 20 Nov 2017, 18:34
I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.

Technically they should be stored using a hash. "Encrypted" implies that the password could be unencrypted with the right key or password, but a hash is a one way function, so even the server admin can't extract the original password.

You feed passwords in and get what looks like gibberish out and store that as the hashed password. When the user tries to log in their password is hashed the same way, if you get the same gibberish you know the password was correct, but you can't go backwards from the gibberish stored at the server to find the password.

In the old days it was just a hash, then it was salted hashes (avoids precomputation attacks where you just calculate the hash for every password you can think of in advance and store the results) and nowadays even a salted hash is considered not very secure as it can be brute forced by custom hardware that can do thousands of has calculations (guesses) in parallel. The hash computation is "too easy" as it is designed to be fast.

Nowadays PBKDF2, bcrypt and scrypt are considered state of the art - they have the same basic properties of a one way hash and are used the same way, but they are very hard (if not impossible) to brute force using custom hardware as they effectively hash repeatedly thousands of times and thus can't be sped up by computing each step in parallel, also they require more memory than custom hardware will offer.

Any time I do a password reset on a website and they email me back my actual password (and it still happens!!! :roll: ) I cringe. That is the worst possible security because they clearly have my password in plain text in their database and have no clue about security... [-X

Not to mention they just sent my password in the clear over unencrypted, interceptable email! #-o
Simon

2016 Nissan Leaf Tekna 30kWh in White

1997 Xantia S1 3.0 V6 Auto Exclusive in Silex Grey
2011 Peugeot Ion Full Electric in Silver
1998 Xantia S2 3.0 V6 Auto Exclusive
1997 Xantia S1 2.0i Auto VSX
1978 CX 2400
1977 G Special 1129cc LHD
User avatar
NewcastleFalcon
Posts: 26241
Joined: 25 Feb 2009, 10:40
x 7082

Re: How not to manage password security

Unread post by NewcastleFalcon »

HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.

Doesn't prevent a couple of hours of wasted time simply trying to get through to someone and get access to fill in a self-assessment form on line though.

Was a bit surprised that one of the on-line options offered was to sign in via GOV.UK Verify. Initially seemed more straightforward but this little page didn't sell it to me...quite the opposite, and the phrase "Certified Company", (who are the ones doing the verifying), again has the exact opposite meaning to me of the reassurance the words are intended to convey. :-D
verify.jpg
Regards Neil
Last edited by NewcastleFalcon on 21 Nov 2017, 16:11, edited 1 time in total.
Only One AA Box left
687 Trinity, Jersey
User avatar
CitroJim
A very naughty boy
Posts: 51338
Joined: 30 Apr 2005, 23:33
x 6776

Re: How not to manage password security

Unread post by CitroJim »

NewcastleFalcon wrote: 21 Nov 2017, 15:14 HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.


With my speech impediment that might not work well with me :lol: Unless it can cope with a stutter that is ;)

It would be fun to try it out...

I can speak to Alexa with no problem and she can understand me so perhaps it would be OK for me... Sounds intriguing...
Jim

Runner, cyclist, duathlete, Citroen AX fan and the CCC Citroenian 'From A to Z' Columnist...
User avatar
daviemck2006
Donor 2024
Posts: 5007
Joined: 04 Dec 2010, 18:45
x 492

Re: How not to manage password security

Unread post by daviemck2006 »

Alexa doesn’t like my accent, then I get frustrated and swear at her lol
Skoda Karoq 1.6tdi 2018
Citroen dispatch 2014
In the family
Seat Leon 1.5tsi tourer 2019 daughter 1
C1 vtr+ 2010 daughter 2
MikeT
Posts: 4808
Joined: 11 Jun 2007, 16:17
x 233

Re: How not to manage password security

Unread post by MikeT »