General Discussion
  >> General Broadband Chatter


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User TucuUK
(newbie) Tue 24-Feb-15 16:07:29
Print Post

Sky Broadband: company stores password in cleartext?


[link to this post]
 
A week ago I was talking to Sky support and as part of the "identity confirmation" process they asked me the last two characters of my password. At the time I just gave it to them.
It now hit me that they must be storing my password in a way accessible to them. Either cleartext or encrypted with a key available to them.
I can't believe that after so many high profile password leaks, Sky has not implemented hash + salt passwords
Standard User Oliver341
(eat-sleep-adslguide) Tue 24-Feb-15 16:30:14
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: TucuUK] [link to this post]
 
Perhaps the CS agent will have a screen asking them for the 2 characters, then when they input the characters the system will say "correct" or "incorrect".

Or are you saying that it is impossible to check just two characters of a password with a hash and salt password?

Oliver.
Standard User ian72
(eat-sleep-adslguide) Tue 24-Feb-15 16:34:15
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: Oliver341] [link to this post]
 
I would say it is impossible to check a one way encrypted password without having the whole password (or cracking it).

I can't think of how that could be done unless the individual characters were stored separately - and that would presumably make it much easier to decrypt them anyway.


Register (or login) on our website and you will not see this ad.

Standard User TucuUK
(newbie) Tue 24-Feb-15 16:36:45
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: Oliver341] [link to this post]
 
If Sky were using hashes+salt they would have no way to check just 2 characters.

It looks like Sky is not the only ISP doing this. I just read a recent comment in arstechnica saying that a BT subsidiary (PlusNet?) follows similar practices.
Standard User micksharpe
(legend) Tue 24-Feb-15 16:39:28
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: Oliver341] [link to this post]
 
In reply to a post by Oliver341:
Or are you saying that it is impossible to check just two characters of a password with a hash and salt password?
There are various schemes but they all have their weaknesses. See the second reply to this question:

Password systems which ask for individual letters - what do they store?

Sweet Thames, run softly till I end my song,
Sweet Thames, run softly, for I speak not loud or long.
Standard User Oliver341
(eat-sleep-adslguide) Tue 24-Feb-15 16:48:32
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: micksharpe] [link to this post]
 
Interesting. Obviously it would be even worse for the CS to ask for the whole password. A lot of ISPs I use just have a second password which is only used when contacting customer services, I think that's probably the best idea.

Oliver.
Standard User TucuUK
(newbie) Tue 24-Feb-15 17:09:44
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: Oliver341] [link to this post]
 
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.
Standard User Oliver341
(eat-sleep-adslguide) Tue 24-Feb-15 17:12:58
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: TucuUK] [link to this post]
 
In reply to a post by TucuUK:
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.

Then what? Are you advocating the CS agent asks for the whole password so that the database can be hashed and salted?

Oliver.
Standard User TucuUK
(newbie) Tue 24-Feb-15 17:24:32
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: Oliver341] [link to this post]
 
The could used hash+salt for their website and a completely independent system for phone customer service. Then they could use questionnaire to confirm identity. For example:
-is user calling from a registered phone +
-does user know his account number, account holder, address +
-other information (digits of direct debit sortcode, last payment amount,etc)
Standard User Oliver341
(eat-sleep-adslguide) Tue 24-Feb-15 17:29:13
Print Post

Re: Sky Broadband: company stores password in cleartext?


[re: TucuUK] [link to this post]
 
I actually wasn't aware that Sky ask for letters of the main password, I always remember using a customer service password which I quoted in full (I chose my Mother's maiden name). Giving letters from my main password would have been fairly laborious, my passwords are generated and stored by KeePass and are generally fairly hellish!

Oliver.
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to