Plusnet ignores GCHQ, spits out plaintext passwords to customers

At least we don't email them, says security-shy telco


Contrary to password storage security standards, BT-owned Plusnet is still delivering plaintext strings back to forgetful users, and seems to have no plans to tidy itself up any time soon – despite years of warnings from security experts and the advice of GCHQ.

Plusnet has stated that it "goes to great lengths to ensure we protect and secure our customer data", however plaintext passwords are still viewable by support staff and users.

The issue at the company has been recorded since 2013, though may have been in effect long before that date, as noted in the Plain Text Offenders tumblr.

Omer van Kloeten, one of the privacy enthusiasts behind the name-and-shame blog, told The Register: "The passwords users provide sites are the sole and secret property of the users."

"No one apart from the user should ever know what their password is," said Van Kloeten, noting that if the user used a password manager "as they should," even they wouldn't know it.

Moreover, we all use the same password for multiple accounts. What if someone - a hacker or even a malicious Plusnet employee - were to try and use this password for other accounts, on other sites?

This behavior exposes users to innumerable risks. Plusnet is painting a very big target on their own backs.

"Passwords are encrypted in our database," the telco claimed to The Register. "We do not show customers their passwords in an email in plain text and anyone who has forgotten their password must go through a combination of security mechanisms to regain access."

The value of these security mechanisms are quite contestable, however, as is the value of denying the appearance of the plaintext password in emails; the issue is rather that a link in the email directs users to a webpage where the plaintext password is presented.

Plusnet customer James Holt told The Register: "When I needed to get into my Plusnet Member Centre account last week I was pretty surprised that Plusnet so readily presented me with my account password on a web page simply by entering my Plusnet username on the Forgotten Your Password? page and then clicking the link in the email they sent me. Boom - there it was staring right back at me under the heading 'Here you go, this is your password'."

Holt said "just to make sure I cleared the Safari cache on my phone, disabled wifi and did the whole thing again just in case Plusnet was doing some kind of identification from my broadband IP, but the exact same thing happened again."

The issue seems to have been consistently present between 2013 and now, as several tweets have referenced it too.

"I've never come across a website that behaves in this way before." said Holt. "Clearly they are not using one-way hashing of passwords.

Asked to clarify whether Plusnet encrypted passwords using a one-way hash function, The Register was told "We have already issued a statement with regards to your queries and have nothing further to add."

Recent password guidance (pdf) published by CESG, the information assurance arm of GCHQ, recommended that companies do not store information as Plusnet seems to be doing.

A GCHQ spokesperson told The Register that "The CESG Password Guidance recommends that password files should be hashed and salted. If this process is followed correctly, it will not be possible to reconstruct the plaintext password."

Security researcher Kenn White said that "When a web site is able to 'remind' you of your password by emailing it back, that's a symptom of very poor security practices. We know from years of cleaning up and analyzing breach incidents that people routinely reuse passwords across sites. And so even if someone has seen the light and uses strong passwords moving forward, they may have scores of old logins long since forgotten that might come back to haunt them when they leak."

"Quite simply," he added "a company puts your private information and financial data at risk when it stores customer credentials in databases as unencrypted plaintext. So when an organization says "We care about your privacy and security" but they operate like this, they really don't. And the booming business in post-hack identity monitoring services confirms that."

Matthew Green, a cryptography expert at Johns Hopkins University, told ​The Register​: "If they’re using a proper password hash function, there should be no way for the company to retrieve the plaintext hash of a password. End of story. Encrypting passwords in their database sounds good, but in practice it doesn’t mean that the data is actually protected — since obviously the system has to be able to recover the unencrypted password to send it to users. If an attacker can compromise the server, they may be able to read out plaintext passwords."

He added: "In general, my intuition is that this company is not following best practices and is probably putting their users’ credentials at risk."

When The Register contacted Plusnet again with these concerns, the company refused to answer whether it was reviewing its password storage practices and again stated it would not deviate from its initial statement.

White recommends that "for critical accounts like online banking and web mail (which is the de facto center of your online identity), I strongly recommend using a password manager, and if identity theft is a serious concern, look into the feasibility of a formal credit freeze." ®

Similar topics


Other stories you might like

  • These Rapoo webcams won't blow your mind, but they also won't break the bank

    And they're almost certainly better than a laptop jowel-cam

    Review It has been a long 20 months since Lockdown 1.0, and despite the best efforts of Google and Zoom et al to filter out the worst effects of built-in laptop webcams, a replacement might be in order for the long haul ahead.

    With this in mind, El Reg's intrepid reviews desk looked at a pair of inexpensive Rapoo webcams in search for an alternative to the horror of our Dell XPS nose-cam.

    Rapoo sent us its higher-end XW2K, a 2K 30fps device and, at the other end of the scale, the 720p XW170. Neither will break the bank, coming in at around £40 and £25 respectively from online retailers, but do include some handy features, such as autofocus and a noise cancelling microphone.

    Continue reading
  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading

Biting the hand that feeds IT © 1998–2021