Use a unique password for PN

http://www.theregister.co.uk/2015/11/25/plusnet_stil...

I always use different passwords for each site - doesn't everybody

What's worse is that Plusnet's email servers still don't support SSL, so passwords are frequently sent across the internet unencrypted:

http://www.plus.net/images/support/email/setup/wlm20...

Probably no different to other ISPs - with pretty much all of the network authentication methods you must either have the plaintext password at the ISP, or transmit it in plaintext to the ISP.

What they really should do is have separate network authentication credentials to the one used for the portal and email - the network authentication is only of use to someone with the same ISP and can be easily traced, the portal credentials can be used from anywhere and gives access to personal information. Eclipse certainly separated the two when I was with them.

The portal credentials should never be disclosed by phone as it allows phishing and account hijacking - set a random new one and post the details to the registered address or alternate email address registered when the account was opened, force password change on first use. As ever this is typically seen as inconvenient when someone looses their password, and most people seem to favor convenience over security.

I assume sarcasm 'Doesn't everybody' but that is the problem. Hardly anybody uses a unique password at every site.

I do.

And when my wife was alive, if a site such as a credit card company needed us to have separate logins we used different passwords.

I don't, but I do use different passwords for important sites. Most importantly, never reuse your primary email address password as any compromised site using the same password would give hackers access to what is usually the primary channel for communication, getting passwords reset and so on. Having access to somebody's primary email address opens a potential Pandora's box.

In fact it's probably best to have a completely separate email account linked to "high security" sites like banks.

In reply to a post by TheEulerID:

In fact it's probably best to have a completely separate email account linked to "high security" sites like banks.

I give all my contacts a unique email address. It's a great way of reducing spam. If you get an email you shouldn't you know why and you can block that address without affecting any others.

Edited by Andrue (Thu 26-Nov-15 16:43:13)

In reply to a post by tdw42:

What they really should do is have separate network authentication credentials to the one used for the portal and email

My Plusnet email password is different to my portal/network authentication password (and always has been).

It's only the same when people don't take the short time required to configure it via http://email.plus.net

Separating the portal and network authentication credentials is overdue.

I admire your ability to keep track, although I suppose if you use a mail server allowing for an unlimited number of addresses you can just use a name based on the site DNS contents.

In reply to a post by TheEulerID:

I admire your ability to keep track, although I suppose if you use a mail server allowing for an unlimited number of addresses you can just use a name based on the site DNS contents.

GMail supports the idea of [email protected] where after the + and before the @ can be anything and you'll receive it into the name mailbox.

Although you still get some websites that don't allow the use of addresses with + in them...

I personally use aliases at my domain and block when required. It's nice to see the potential list of who is sharing your address too.

Matt

That's interesting, cheers.

In reply to a post by uno:

Although you still get some websites that don't allow the use of addresses with + in them...

I personally use aliases at my domain and block when required. It's nice to see the potential list of who is sharing your address too.

Yes - that is true. Having your own domain is the easiest way!

In reply to a post by uno:

I personally use aliases at my domain and block when required. It's nice to see the potential list of who is sharing your address too.

Been doing that for years - it's by far the best idea. Plus a unique password as well for security.

I have unique passwords for every site. The pain is trying to remember which sites forced me to use a number in the password.

When the (latest) Talktalk breach hit the headlines, I forced myself to change my password habits and started using a password manager to generate and save unique passwords.

I'm not brave enough to put my bank password in it though.

So how does all these separate and compartmentalised email address work when you have emails both to and from multiple contacts with other contacts copied in on the email?

How exactly are you going to reply to say 5 of your contacts about some subject unless you write 5 different emails to each of them from the 5 different email address allocated to each contact and then face the problem that each person will not know the others have also been informed in a separate email as they would if if was a straightforward reply to all.

Sounds all like a lot of work and will create a lot of confusion.
It will end up with many contacts using the 'wrong' email address instead of the one allocated to them as they have been passed on an email from you originally to someone else and they will reply to that address rather than the address allocated to them.

To be honest it sounds totally nuts!

Same, it's just not the norm for most users sadly.

I suspect that "each of my contacts" was not referring to personal contacts but businesses that require an email address, so it's not really an issue. I do the same and have about 500 email addresses at the last count.

I've been using letters and numbers for years, however I see the silly season is upon us. Recently got asked to set a password of a minimum of 16 digits and to include special keys. Needless to say they didn't get my business. A password to me is only secure while it's in my head. Once I write it down, security goes out the window.

I have a couple stock exchange trackers with a major financial company in the UK.

When I started two years ago they required you to enter either your 8-digit customer reference or a username that you could choose to replace it for login, and a PIN of at least 6 digits.

On the next screen they asked for three (specific, varying) characters from your password which had to include at least one upper case letter and at least one digit.

A couple of months ago to improve security they changed the system. They forced me to change to using a username, which could be my registered email address with them. As a result the customer reference no longer works. The PIN number has been dropped. The second screen now requires a straight entry of the password.

It is therefore now one of the most insecure login methods there is for any financial institution I know!

Edited by RobertoS (Sun 29-Nov-15 17:47:32)

I store completely unique, strong, 16 character passwords in a local encrypted database, protected with one good password which I memorise. In my opinion, the danger of local password database discovery is much smaller than the danger of hackers guessing weaker, memorisable passwords online, or remote password databases being compromised which reveal the same, or similar passwords for other sites.

Which is not much use when you're not local

In reply to a post by jchamier:

GMail supports the idea of [email protected] where after the + and before the @ can be anything and you'll receive it into the name mailbox.

Yup, my system is similar to that. Except I run my own mail server so I can use a wildcard pattern. Either way from my perspective they all end up in my inbox so there's nothing to track. One thing does annoy me is people using CC instead of BCC. That has the potential to cause problems.

Curable problems but it'd be annoying to temporarily lose the certainty of knowing which contact actually sent me an email.

Edited by Andrue (Sun 29-Nov-15 21:42:21)

In reply to a post by zom22:

How exactly are you going to reply to say 5 of your contacts about some subject unless you write 5 different emails to each of them from the 5 different email address allocated to each contact and then face the problem that each person will not know the others have also been informed in a separate email as they would if if was a straightforward reply to all.

I've never needed to do that with personal mail. If I did I'd probably use a new group email address for that conversation. It costs nothing to 'create' them and they all end up in the same mail box anyway.

Edited by Andrue (Sun 29-Nov-15 21:39:20)

I expect the majority of the public are completely misled by the common "you get 5 (or 10) mail boxes". The proportion of users needing more than one has to be small.

Aliases are not mentioned in the main publicity, and only people like us discover them.