|
|
|
A week ago I was talking to Sky support and as part of the "identity confirmation" process they asked me the last two characters of my password. At the time I just gave it to them.
It now hit me that they must be storing my password in a way accessible to them. Either cleartext or encrypted with a key available to them.
I can't believe that after so many high profile password leaks, Sky has not implemented hash + salt passwords
|
|
|
Perhaps the CS agent will have a screen asking them for the 2 characters, then when they input the characters the system will say "correct" or "incorrect".
Or are you saying that it is impossible to check just two characters of a password with a hash and salt password?
Oliver.
|
|
|
|
I would say it is impossible to check a one way encrypted password without having the whole password (or cracking it).
I can't think of how that could be done unless the individual characters were stored separately - and that would presumably make it much easier to decrypt them anyway.
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
If Sky were using hashes+salt they would have no way to check just 2 characters.
It looks like Sky is not the only ISP doing this. I just read a recent comment in arstechnica saying that a BT subsidiary (PlusNet?) follows similar practices.
|
|
|
Or are you saying that it is impossible to check just two characters of a password with a hash and salt password? There are various schemes but they all have their weaknesses. See the second reply to this question:
Password systems which ask for individual letters - what do they store?
Sweet Thames, run softly till I end my song,
Sweet Thames, run softly, for I speak not loud or long.
|
|
|
Interesting. Obviously it would be even worse for the CS to ask for the whole password. A lot of ISPs I use just have a second password which is only used when contacting customer services, I think that's probably the best idea.
Oliver.
|
|
|
|
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.
|
|
|
After reading the stackoverflow link (and linked articles), it seems that no partial password scheme is substantially better than cleartext in the case of a password database leak. All of them make it easier for an attacker to retrieve the original password.
Then what? Are you advocating the CS agent asks for the whole password so that the database can be hashed and salted?
Oliver.
|
|
|
|
The could used hash+salt for their website and a completely independent system for phone customer service. Then they could use questionnaire to confirm identity. For example:
-is user calling from a registered phone +
-does user know his account number, account holder, address +
-other information (digits of direct debit sortcode, last payment amount,etc)
|
|
|
I actually wasn't aware that Sky ask for letters of the main password, I always remember using a customer service password which I quoted in full (I chose my Mother's maiden name). Giving letters from my main password would have been fairly laborious, my passwords are generated and stored by KeePass and are generally fairly hellish!
Oliver.
|
|
|
Side note: KeePass is great software, and free.
Oliver.
|
|
|
Don't they have a password you use for Internet access (randomised and hard coded into router), a password you set yourself for email access, which is hashed and salted as it's nothing to do with Sky, and another password you use to talk to CS?
There's no online form that uses that password so it should, in theory, be secure.
Most online forms that ask for two letters from a password also ask for another password in full which, one assumes, is hashed and salted, and do it to avoid both passwords being provided in full.
Edited by deleted (Tue 24-Feb-15 17:55:27)
|
|
|
|
To clarify: In my case I am talking about the SkyID password, used mainly to manage the account online. When I contacted the sky support team they asked me for the last to letters of this password.
|
|
|
|
|
|
|
Over phone have only ever used the customer service password
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
I only have the SkyID password. Can't find anywhere on the Sky site how to create a separate phone customer services password.
I am a relatively new Sky user (migrated from BE) and I never had to deal with their phone team before.
|
|
|
How secure was your Be password?
|
|
|
|
With BE I used a 12-character randomly generated password. I assume that they only stored hashes. Over the 5 or 6 years that I was with them I only used their online support ticket system. So no idea how they authenticated users over the phone.
When I was migrated to Sky I was asked to create a SkyID account. I generated another password of the same length.
|
|
|
I'm not sure how it is set up since it was some time ago, maybe I was asked to create one during my first phone call with them after using alternative authentication methods.
I have an option to change my security question here: https://secure.sky.com/mydetails
I don't know if that's the same thing though.
Oliver.
|
Pages in this thread: 
Print Thread
