|
|
|
A week ago I was talking to Sky support and as part of the "identity confirmation" process they asked me the last two characters of my password. At the time I just gave it to them.
It now hit me that they must be storing my password in a way accessible to them. Either cleartext or encrypted with a key available to them.
I can't believe that after so many high profile password leaks, Sky has not implemented hash + salt passwords
|
|
|
Perhaps the CS agent will have a screen asking them for the 2 characters, then when they input the characters the system will say "correct" or "incorrect".
Or are you saying that it is impossible to check just two characters of a password with a hash and salt password?
Oliver.
|
|
|
|
I would say it is impossible to check a one way encrypted password without having the whole password (or cracking it).
I can't think of how that could be done unless the individual characters were stored separately - and that would presumably make it much easier to decrypt them anyway.
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
If Sky were using hashes+salt they would have no way to check just 2 characters.
It looks like Sky is not the only ISP doing this. I just read a recent comment in arstechnica saying that a BT subsidiary (PlusNet?) follows similar practices.
|
|
|
Or are you saying that it is impossible to check just two characters of a password with a hash and salt password? There are various schemes but they all have their weaknesses. See the second reply to this question:
Password systems which ask for individual letters - what do they store?
Sweet Thames, run softly till I end my song,
Sweet Thames, run softly, for I speak not loud or long.
|
|
|
Interesting. Obviously it would be even worse for the CS to ask for the whole password. A lot of ISPs I use just have a second password which is only used when contacting customer services, I think that's probably the best idea.
Oliver.
|
|
|
|
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.
|
|
|
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.
Then what? Are you advocating the CS agent asks for the whole password so that the database can be hashed and salted?
Oliver.
|
|
|
|
The could used hash+salt for their website and a completely independent system for phone customer service. Then they could use questionnaire to confirm identity. For example:
-is user calling from a registered phone +
-does user know his account number, account holder, address +
-other information (digits of direct debit sortcode, last payment amount,etc)
|
|
|
I actually wasn't aware that Sky ask for letters of the main password, I always remember using a customer service password which I quoted in full (I chose my Mother's maiden name). Giving letters from my main password would have been fairly laborious, my passwords are generated and stored by KeePass and are generally fairly hellish!
Oliver.
|
Pages in this thread: 
Print Thread
