How not to manage password security

This is the place for posts that don't fit into any other category.

Moderator: RichardW

User avatar
xantia_v6
Forum Admin Team
Posts: 7469
Joined: 09 Nov 2005, 23:03
x 419

How not to manage password security

Post by xantia_v6 »

We are not far from having fibre internet installed in our street, and I needed to check some details on our ISPs web site, somewhere I try not to go as it is an awful site, which seems to have the only purpose of selling phone upgrades. The ISP is a well known global company.

I sat looking at the login screen for a few seconds, and realised that I had no idea what user name or password to use, tried a couple of likely combinations with no success, and then tried password recovery, but that required account number and user name, so didn't help. I then called their support line,and said that I had forgotten my user name and password. They asked for my name and date of birth, nothing else, and said that they did not match.

I then realised that the account was set up by my wife (as it was originally attached to her mobile phone account). I was told that they would need her permission to allow me access to the account. So they called her and got her permission.

Then they called me back and gave me a user name and password pair, which was fine until I realised that they had given me a user name and password that my wife has used on more than one site.

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.

Beware.

User avatar
CitroJim
A very naughty boy
Posts: 42145
Joined: 30 Apr 2005, 23:33
x 1237

Re: How not to manage password security

Post by CitroJim »

That's not good...

Passwords really have had their day... They are archaic and badly need to be replaced by authentication mechanisms that are better suited to the needs of today...

I don't know what - I'll leave that to those far wiser than me...

Hell Razor5543
NOT Alistair or Simon
Posts: 10709
Joined: 01 Apr 2012, 09:47
x 1053

Re: How not to manage password security

Post by Hell Razor5543 »

Something like this could be a start;

https://www.ebay.co.uk/itm/Brand-New-HP ... Sw71xZoVfh

User avatar
CitroJim
A very naughty boy
Posts: 42145
Joined: 30 Apr 2005, 23:33
x 1237

Re: How not to manage password security

Post by CitroJim »

Fingerprints may be the answer James but likely they will need some development...

This would be better...

https://en.wikipedia.org/wiki/RSA_SecurID

This is an established and trusted system...

User avatar
xantia_v6
Forum Admin Team
Posts: 7469
Joined: 09 Nov 2005, 23:03
x 419

Re: How not to manage password security

Post by xantia_v6 »

It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".

Homer
Posts: 1504
Joined: 26 Feb 2003, 11:52
x 14

Re: How not to manage password security

Post by Homer »

xantia_v6 wrote:
20 Nov 2017, 19:34

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.

User avatar
xantia_v6
Forum Admin Team
Posts: 7469
Joined: 09 Nov 2005, 23:03
x 419

Re: How not to manage password security

Post by xantia_v6 »

Homer wrote:
21 Nov 2017, 09:13
xantia_v6 wrote:
20 Nov 2017, 19:34

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.


Which by the way, is how passwords on this site are managed. Not even the site admins can recover them.

MikeT
Posts: 4838
Joined: 11 Jun 2007, 16:17
x 186

Re: How not to manage password security

Post by MikeT »

xantia_v6 wrote:
21 Nov 2017, 08:56
It was not the only stupidity I came across yesterday... I noticed that the company who had marked up the pavement for the locations of the fibre tails had made a mistake, and there were too many on the other side of the street and not enough on our side.

The operative at the company was not concerned "the plans have been approved, so that is what we will build. If it is wrong, we will dig it up later and fix it".


Reminds me, when I moved to my current location I noticed a certain TV provider had fibre inspection covers along our street so I called them to enquire about getting their broadband only to be told they didn't install them on our side and had no plans to do so. I ended up taking a competitors ADSL service and ten years later, we're still paying money for old rope (twisted copper pair) at an unbelievably inflated price, I might add!

User avatar
white exec
Moderating Team
Posts: 6240
Joined: 21 Dec 2015, 13:46
x 1051

Re: How not to manage password security

Post by white exec »

Here, in the middle of 'nowhere', 5km inland, in the mountains 460m above sea level, we have broadband - and have had for 11 years. The link is wireless, and most of the campo houses here have it. We're on a modest package that delivers unlimited use, 12Mbits/sec down and 4 up, rock steady, and IPHDTV capable.

Can't understand how UK can struggle with something like this! Thank goodness the electricity National Grid (and the NHS) were created in another and forward-looking era; they wouldn't stand a chance now.

MikeT
Posts: 4838
Joined: 11 Jun 2007, 16:17
x 186

Re: How not to manage password security

Post by MikeT »

I'm having to sit on my hands here rather than reply in full as it's a political/corporate thing.

User avatar
Mandrake
Posts: 8196
Joined: 10 Apr 2005, 17:23
x 328

Re: How not to manage password security

Post by Mandrake »

Homer wrote:
21 Nov 2017, 09:13
xantia_v6 wrote:
20 Nov 2017, 19:34

I don't think that it would be very hard to exploit this system for criminal purposes. I am surprised even, in this age, that the customere service rep even has access to plain-text passwords.


No they shouldn't. The password should be stored encrypted, the best they should be able to do is reset it and tell you the new one.

Technically they should be stored using a hash. "Encrypted" implies that the password could be unencrypted with the right key or password, but a hash is a one way function, so even the server admin can't extract the original password.

You feed passwords in and get what looks like gibberish out and store that as the hashed password. When the user tries to log in their password is hashed the same way, if you get the same gibberish you know the password was correct, but you can't go backwards from the gibberish stored at the server to find the password.

In the old days it was just a hash, then it was salted hashes (avoids precomputation attacks where you just calculate the hash for every password you can think of in advance and store the results) and nowadays even a salted hash is considered not very secure as it can be brute forced by custom hardware that can do thousands of has calculations (guesses) in parallel. The hash computation is "too easy" as it is designed to be fast.

Nowadays PBKDF2, bcrypt and scrypt are considered state of the art - they have the same basic properties of a one way hash and are used the same way, but they are very hard (if not impossible) to brute force using custom hardware as they effectively hash repeatedly thousands of times and thus can't be sped up by computing each step in parallel, also they require more memory than custom hardware will offer.

Any time I do a password reset on a website and they email me back my actual password (and it still happens!!! :roll: ) I cringe. That is the worst possible security because they clearly have my password in plain text in their database and have no clue about security... [-X

Not to mention they just sent my password in the clear over unencrypted, interceptable email! #-o

User avatar
NewcastleFalcon
Posts: 12572
Joined: 25 Feb 2009, 11:40
x 1169

Re: How not to manage password security

Post by NewcastleFalcon »

HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.

Doesn't prevent a couple of hours of wasted time simply trying to get through to someone and get access to fill in a self-assessment form on line though.

Was a bit surprised that one of the on-line options offered was to sign in via GOV.UK Verify. Initially seemed more straightforward but this little page didn't sell it to me...quite the opposite, and the phrase "Certified Company", (who are the ones doing the verifying), again has the exact opposite meaning to me of the reassurance the words are intended to convey. :-D
verify.jpg
Regards Neil
Last edited by NewcastleFalcon on 21 Nov 2017, 17:11, edited 1 time in total.

User avatar
CitroJim
A very naughty boy
Posts: 42145
Joined: 30 Apr 2005, 23:33
x 1237

Re: How not to manage password security

Post by CitroJim »

NewcastleFalcon wrote:
21 Nov 2017, 16:14
HMRC now use voice recognition for some aspects of their interactions with the general public to verify identity. Your voice is your password.


With my speech impediment that might not work well with me :lol: Unless it can cope with a stutter that is ;)

It would be fun to try it out...

I can speak to Alexa with no problem and she can understand me so perhaps it would be OK for me... Sounds intriguing...

User avatar
daviemck2006
Donor 2020
Posts: 4889
Joined: 04 Dec 2010, 19:45
x 318

Re: How not to manage password security

Post by daviemck2006 »

Alexa doesn’t like my accent, then I get frustrated and swear at her lol

MikeT
Posts: 4838
Joined: 11 Jun 2007, 16:17
x 186

Re: How not to manage password security

Post by MikeT »