If you’re a customer of British broadband provider Plusnet, I would recommend you read today’s story in The Register.
In a nutshell, we all hope that the companies we deal with online are handling our passwords in a safe, secure way.
Best practice – as defined by no less an authority than the UK government – stipulates that passwords should never be stored as plain text, and a one-way cryptographic hash should be created (after a salt is added) to ensure that a hacker who manages to gain access to a password database can’t uncover passwords.
(If you don’t understand what salting and hashing is all about when it comes to passwords, watch this video.)
Because simply encrypting a password before storing it in a database isn’t enough.
However, Plusnet doesn’t appear to be following best practice when it comes to passwords. Put simply, any website which can tell you what your password is isn’t acting responsibly.
What’s more Plusnet has been warned about the problem before:
— Mark Hemmings (@mhemmings) June 17, 2014
And some Plusnet users have reported that the company’s support staff have confirmed that they can read customers’ passwords:
— .cow (@shoutsatcows) April 20, 2015
That sounds pretty disastrous to me. Just imagine, for instance, how many people use the same password for multiple online accounts – if one rogue employee from Plusnet can see your Plusnet password, they might be tempted to see if it would work against your other online accounts too…
I found it hard to believe that in the wake of recent data breaches, Plusnet would be so sloppy with its security. So I dropped their PR team a note asking for confirmation about whether their staff could read customers’ passwords, and whether passwords were being properly salted and hashed.
Here is what they told me (or rather cut-and-pasted for me):
“Plusnet goes to great lengths to ensure we protect and secure our customer data. Passwords are encrypted in our database. We do not show customers their passwords in an email in plain text and anyone who has forgotten their password must go through a combination of security mechanisms to regain access.”
When I pointed out to them that they hadn’t actually answered my questions (“Can Plusnet staff see my password?” and “Is Plusnet employing salted password hashing?”) their reply was curt:
“We’ve issued the statement and will not be answering any additional queries.”
Which I think tells you everything you need to know…
It would be great to think that the recent hack of rival broadband provider TalkTalk, which saw its CEO making uncomfortable apologies on national TV broadcasts, would make Plusnet do some serious self-examination and ask itself what it might be doing wrong, and how it might make itself more secure.
If there is a potential issue, own up to it and fix it. You’re not doing your customers any favours by hiding it under the carpet.