UKC

Followed the thread on The Cloud and made me think about a current situation.

Signed up online for a new broad band provider, and still in cooling off period.

Received in the post yesterday a letter that contained details of my account (nothing I did not already know) and what surprised me it included as a password hint part of the actual password with other characters just as an *. Coincidentally or not, the number of * corresponds to the actual number of non displayed characters.

Reading the letter, if I understood it correctly, they are saying that the online password is used not only for online access, but if I phone them and if I setup my router manually. What, is that not increasing risk?

Given that they have printed the actual number of characters in my password and shown some 40% of it, printed other details useful for getting thro any security (username, email address, etc,) have they compromised my security?

I am not aware of dealing with any other company that uses the same password for telephoning as online access (let alone for something like a router password). If I have to give my online password to speak on the phone, what is to stop rogue staff from misusing the details?

Should I just cancel now (18mth contract if I don't)? Thoughts appreciated, thanks.

In reply to Climbing Pieman:

Who's the provider?

In reply to Climbing Pieman:

Nah. It sounds like their security is not the greatest but you have to ask yourself what the chances of someone intercepting your mail and then sitting within range of your wifi router is in order to gain access to your network is. Probably quite slim. Do you have options to change your password?

In reply to Climbing Pieman:

You can't be serious.

In reply to Climbing Pieman:

This is a fundamental security mistake, and although the chances of it being used maliciously are low, I'm always disappointed when I see companies entrusted with our private data acting in this way.

Anyone who holds your password should have it hashed (essentially garbling it) in such a way that it cannot be read. If you have to give it over the phone, the operator types it in and the computer gives a yes/no - its not a case of them looking at your password and comparing the two.

Its the same issue with any other account - if you click on the 'forgot password' link a website and they actually send you an email with your password in it, that's not good.

If they can read the password - anyone can if they hack in. And since lots of people use the same password across multiple sites, the first thing they will do it try those passwords against potential sites on other sites.

In reply to Climbing Pieman:
Thanks all so far.
Not sure it's fair to name provider. It just highlights their system methods. Anyone with them will no doubt know unless this is a new procedure, or a slip up.

Yes I can change password online. I did think of this but if it is linked to phone security and router security, and it is visible to staff when phoning, what is the point.

Yes I'm serious. Already had two attempted fraud cases on a credit card this year through misuse of details. I'm not paranoid, just want to be careful and to avoid too much hassle. The two fraud attempts were initially dismissed as I had dealt with the company regularly and so it must have been me.

I do think the risk is low, but I have the option to say to them in the cooling off period that if that is how they handle security, then sorry, your company is not for me. It's what else they do with data behind the scenes that more concerns me.

In reply to yorkshireman:


But then that means once you phone up the operator has your full details. Which isnt that good.
Which is why a two tiered system with separate helpdesk password and a "select a couple of letters" can come in useful. Since then they dont have access to the full password. Downside is if the db is accessed then all the passwords are in the clear.

Both have their pros and cons.
For the router bit. Depends whether it is the admin logon (which would be problematic) or the service log on.
If the latter the risk is probably rather low. Need some effort to misuse as far as I am aware (although not an expert on the isp setup so could be wrong).

In reply to Climbing Pieman:
Update. I phoned the company this afternoon to check and yes they do use the same online user name and password for everything - online, telephone, the router if necessary, and in addition also apparently the live online help.

However, on the phone it is only two characters of the password requested each time, and for the router it is only needed and used if you choose to change to your own router or deliberately override their preprogrammed software which has its own username and password attached to the router when sent. Didn't ask about the live online help.

Probably a very low risk, but does still seem strange to a non technical person like me.

Thanks for the comments again. I am thinking just to give them the benefit of the doubt. I can always change my password online during the contract if I have concerns latter I suppose.

In reply to Climbing Pieman:


You're right to be concerned. What they've done is weakened your password down to the number of characters that remain obscured as *. If they've revealed a significant number of characters in plain text, that could be a very significant weakening. Revealing part of a password, or the length of a password is contrary to good security practice.

I'd name and shame.

In reply to captain paranoia:

Maybe I should - I'll sleep on it and not do anything in haste! Thanks for your comment.