|
|
Hi all,
Quick heads up that on Wednesday we will be rolling out changes to the platform that will allow customers the ability to choose much more secure passwords.
For those that don't know, customers are currently restricted to using a 5-8 character password containing numbers and lowercase letters that must start with a letter! The option to allow stronger passwords has been the most voted for suggestion on the Usergroup Issue Tracker for a while now and we recognise that it's something a lot of you have been asking for:
http://usergroup.plus.net/pugit/view.php?id=29
As of Wednesday customers will be forced into choosing a password that's between 8 and 16 characters when they signup. This password can also contain any of the following characters:
!#$%&()*+,-./:;<=>?@[]^{|}~
0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz
You will not be forced into changing your existing details so anyone with a password not meeting this criteria can continue using their current credentials.
Password changes on the portal will propagate around all the systems (FTP, Mail, Portal access etc.). The only system that will not support the new password format will be FrontPage. FrontPage will only take into account the first 8 characters.
If anyone has any questions or feedback then please feel free to contribute to this thread and I'll do my best to provide answers.
Kind Rgds,
Edited by deleted (Mon 21-May-07 18:53:19)
|
|
|
|
I thought Dave T or someone similar said the change was a massive thing (hence why it hadn't been done before) and would take ages?
How come it's taken a security breach before anyone took security and so on sufficiently seriously?!?
|
|
|
We have always taken security seriously. The strong password rollout is not a small matter and is still requiring a huge effort to roll this in such a short time.
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Funny how all these things that have been asked for for ages are now being looked at and done though isn't it
But... Great news! Finally I can change my password without having to make it worse than it already is!
|
|
|
|
>We have always taken security seriously. The strong password rollout is not a small matter and is still requiring a huge effort to roll this in such a short time.
How I read therioman, with your reply, if it required a huge effort is such a short time, why hadn't it been done over a longer time, without the need for so much effort in the past?
|
|
|
In reply to:
We have always taken security seriously.
Adopts the pantomime response, "Oh no you haven't"
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
If something that takes a huge effort can be done in a short time, if longer is taken it can normally be done with more thought and preparation and less chance of mistakes. It's a shame that we have to bring up the negatives to these positive moves, but PlusNet have brought it upon themselves.
But yes!!!! At last!
I'm still interested as to why the frontend systems had certain restrictions, while every other system clearly doesn't. But it's proved difficult to get a straight answer. I know of plenty of people who used passwords across dialup, DSL, webmail and portal all of which do not conform to the old and odd requirements.
|
|
|
Personally I think this move will enhance security for your customers but I don't like the answer you have given.
Back in Feb you were asked to work on the password issue and it is only now that you have got round to it and after a serious security breach (which might or might not be releated to a password issue) . Before Feb you were asked by a number of people (including those in PUG) to improve password security and that too fell on deaf ears. This is the Feb story, remember?
http://www.theregister.co.uk/2007/02/07/plusnet_passwords/
Two more: Link 1 & Link 2.
Edited by rsharma (Mon 21-May-07 19:45:24)
|
|
|
Remember that we have pretty much stopped all of our other development work to focus solely on these projects, and yes, that is a direct result of us being caught out in the way we were. While we were very aware of a number of issues where we were weaker than we should have been (And webmail was one), we had never found the onus to properly prioritise the development work above other things.
There is no argument that recent events have changed that and much of our next three months will be focussed solely on projects that relate to both email and platform security / stability (although I imagine a fair bit of that won't be visible to customers (Fixing potential problems that don't yet exist is never very exciting to watch).
We've always had to make difficult decisions about priorities and this is no exception - Things we were working on as part of our plans for 2007 will certainly slip as a result of this. Yes, we could and should have done all this stuff sooner, but it would have been at the expense of different work. That said, the speed we deployed a whole new webmail platform was stunning imo, and while we worked through the weekend and overnight to design, build and deliver that I reckon there are definately some useful things we can learn... A project like that would have been in QA (testing) for 2 weeks previously, and even then probably wouldn't have come out any more bug free than it is now.
Ian
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
|
Sadly there are a number of unanswered questions over passwords, but chris is probably just toeing the party line. this approach unfortunately sometimes causes more problems than good, especially on these forums.
Hopefully some will be answered, but in the mean time, at least this feature, requested for a VERY long time has been implemented. It's a shame it's taken such a mess for whatever needed to be changed internally (be it attitude, money, or other resources) to do so, but thank god it has.
Next up...
Proper SSL connections for all mail transactions (POP3, IMAP and SMTP).
Then things may be up to speed with the free e-mail services out there
|
|
|
|
And now they've done it.... what will it take to get a positive response...
Not aimed at you RS, just clicked reply.
Occaisionally good comes out of bad....
|
|
|
QA was something that has concerned me with the rapid rollout of these changes, not so much the password issue, but some of the larger changes. But if you've found more streamlined and efficient ways to do things and are confident stuffs been done at least as well as it was in the past, then great. Just add in some ongoing checking and hopefully you want be caught out again  (Or at least if you are it will be a lot harder for anyone to accuse the company of complacency).
|
|
|
Yes - We get asked to do lots of things all of the time though!
The work had been scheduled, but not above some of the other stuff we had promised to deliver, and a couple of things, such as the frontpage / hosting system upgrade were seen as dependencies initially. We were going to bundle this into the 'one portal' project iirc, which was going to enter development quite soon (It is on hold for the moment). Once we have that in place, it will actually make all other work we have to do on our portal a lot easier, because we won't need to make every change 4 times. As such it was seen as more urgent than making changes on code we were going to replace anyway.
I can explain the our thinking behind all of this, but please don't think I'm trying to defend what in hindsight we have been proven to have got it wrong!
Ian
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
|
It's a fair concern - We didn't QA the new webmail platform as much as we would have liked, and we didn't do as much work on skinning and bug fixing as I would have liked (Squirrel does have a few functionality flaws), but a lot of us spent our own time working on the solution and even I got nominated as a sign off point for part of the server builds (It's been 4 years since I was a network bod, but it all came back quite quickly thankfully!)...
We'd have had the new webmail platform out even sooner if it weren't for deciding the encrypt a load of the squirrelmail databases and take some other non standard security precautions, just in case!
Ian
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
|
Ian, if it had been a simple matter of hindsight being infinitely wiser than the present I wouldn't have even brought it up. The fact is that you ignored security on a number of occasions at the expense of developing something tangible for the customers. PN might pay the price, but usually it is the customer. That PN don't think it is a priority to protect their valuable customer database is quite amusing, but customers suffering because of ongoing problems with security isn't.
>Yes - We get asked to do lots of things all of the time though!
Maybe, but this wasn't a fancy toy being requested. These requests were of paramount importance, ones where everything else could and should have waited until these had been implemented (almost 2 years and counting?). Your email report tomorrow is something even I look forward to reading.
|
|
|
>Sadly there are a number of unanswered questions over passwords, but chris is probably just toeing the party line. this approach unfortunately sometimes causes more problems than good, especially on these forums.
I think you have it spot on. The sooner PN staff learn not to spin the story the better everyone will be for it.
|
|
|
As per SS announcement earlier, the incident report won't be ready for tomorrow - It has taken us longer to understand the nature of all of the issues than we first expected. Wednesday seems realistic now...
I don't think we ignored security, especially not of our customer database (The thing we know as workplace, which has not been compromised in anyway here), but I do agree that we were caught out on this one and I don't see any disagreement between us about that at all.
Ian
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
|
Oh Squirrelmail is far form perfect, but at least you're running something a bit more up to date and lightweight. It's suffered it's fair share of vulnerabilities and I'm sure it will continue to do so in the future. But hopefully this experience had taught PlusNet more about how to deal with them.
It's always best to go that extra mile  I hope you can build on this experience and ocntinue to polish things with whatever solutions are decided upon for the future of the webmail platform.
|
|
|
|
If workplace had been compromised I don't think PlusNet would exist for much longer. It is after all the crown jewels of the company.. or has been said to be so in the past. Security may not have been ignored but it has certainly been lax in certain areas, including reporting of security issues to customers. For instance, if a customer facing system is compromised, bite the bullet and tell them what they need to know immediately. They'll thank you later. I could suggest that auditing of systems needs to be looked at too, but maybe it's better to wait until the report drops.
Shame that the report has been delayed yet again. I'm not fan of rushing things out, but setting realistic expectations may be another lesson some people can learn from this. So many things get delayed with PlusNet, then people have to come us with excuses, then people get annoyed. Hmm.. I'm sure I've said this before.
Anyhow, I've said it a couple of times, but I'll say it again. Thanks for the password fix!
|
|
|
|
"You will not be forced into changing your existing details so anyone with a
password not meeting this criteria can continue using their current
credentials."
Is it just me or does that statement fly in the face of "taking security seriously" What is the point of having a strong password policy if you are not going to enforce it?
|
|
|
|
They are enforcing it, but for new passwords only. If they told all 200,000 users (and that's only broadband) that they HAD to change ALL their passwords, support would go into meltdown, as would their systems I suspect.
It is still the users responsibility to ensure they use secure passwords, PN have now allowed them to be more secure than before for those that want it and those that do change it.
|
|
|
|
To me that is just akin to putting 4 extra bolts on the front door and leaving the back door as it was.
If there is a need for complex passwords then enforce it. This just seems to be another Plusnet half hearted attempt to solve a potential problem.
If a job's worth doing........
|
|
|
In reply to:
If they told all 200,000 users (and that's only broadband) that they HAD to change ALL their passwords, support would go into meltdown, as would their systems I suspect.
Is the reason frequently trotted out by PN and their supporters for not informing customers of a lot of things which directly affect them.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
Post deleted by rsharma
|
|
|
In reply to:
To me that is just akin to putting 4 extra bolts on the front door and leaving the back door as it was.
More like a joiner putting on the bolts, but the home owner not using them. Making the security available is Plusnet's responsibility. Enforcing it is the user's.
I fail to see any major security difference between a six character and an eight character password. Twelve or more is starting to get into the realms of acceptable (although 30+ is even better  ). On average, non-techie users will not care for passwords over the size of six characters. That's life. Plusnet could alienate customers by forcing long passwords that some consider overkill.
Like I say it's Plusnet's job to make the security available, but taking their customers by the hand will not be liked by many.
That's not to say they can't send occasional reminders (quarterly perhaps) regarding general password security. Over time users will learn the value of decent password length.
|
|
|
|
Indeed. I've slated PlusNet for plenty of things. But seriously, this is a long overdue and generally good move. We've been given something that has been asked for for a long time, it's being enforced for all password changes, but those who don't care are not having it shoved down their throats. It's all good IMHO.
|
|
|
I'm dreading the day we have a serious security problem like this on our software.. I'm sure it will happen.. We've had bugs in the past but I would hope we've fixed them before anyone else found them.. The fact is things like this happen.
This isn't trying to defend PN.. just putting into context.. It's easy to be on the 'exposer' end of things because you have to get it right just once.. it's harder to be on the system side of it as you need to get it right every single time.
I'm sure PN are banging heads at walls right now (perhaps it's the kick they needed).
seb
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
In reply to:
If they told all 200,000 users (and that's only broadband) that they HAD to change ALL their passwords, support would go into meltdown, as would their systems I suspect.
It's called Risk Assessment & Cost Benefit Analysis. Unfortunately it doesn't work with religions.. (the technical kind I'm referring to :-p)
seb
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
> To me that is just akin to putting 4 extra bolts on the front door and leaving the back door as it was.
It's more about putting the bolts on but not forcing the inhabitants to use them.. You'd have to give them health and safety training to understand how to open them in an emergency in the dark etc.. doing that on large scale is difficult.
I would hope PlusNet gradually increases it until everyone had updated.
seb
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
In reply to:
More like a joiner putting on the bolts, but the home owner not using them. Making the security available is Plusnet's responsibility. Enforcing it is the user's.
I wrote my previous post before I saw what you said.. honest
In reply to:
Plusnet could alienate customers by forcing long passwords that some consider overkill.
The users would just use long complex passwords which match on more sites.. leading to more compromises.. So many people ignore the effects of social impact of IT... you made life difficult and users simplify it.. you force long passwords they can't remember? they write them down or use the same one more often... you make them change it often? they'll write it down or use a predictable pattern.. you need to take the choice off the user like with one time passwords if the application is really important
seb
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
Hi Chris,
That's the point - while I understand it's a lot of resource to do this, it is amazing how customers have been asking for a long time, and now all of a sudden because of the webmail breach there is a real flurry of activity to do these things - so that gives the impression that you're only *now* truely interested in security.
|
|
|
|
Hi all,
I can see how we may have given that impression but wouldn't agree that we've 'not been bothered' with security up until now.
I hope everyone can see this work in a positive light. Yes, we've pulled out all the stops to implement it and yes, we've probably even surprised ourselves at the speed in which we've done it. There's definitely something to be learnt from this.
We'll be letting all customers know, whether it's through emails, newsletters or some other medium. We'll not be expecting for customers to just stumble across the information and will be pro actively pushing this.
Over the next few months we hope to phase the weaker passwords out and will look to make this a mandatory measure.
We discussed the fact that 8 character passwords may present a barrier for some potential customers, however we felt the pros of a stronger password outweighed the cons.
Kind Rgds,
|
|
|
|
And then in a limited capacity.
|
|
|
|
Definitely. The best way to secure a system it to unplug it, turn it off and put it in a super-secure safe. Then probably bury it. All computer systems connected to networks are extremely open and vulnerable and all software has flaws. These things do happen to everyone no matter how proactive they are about security.
Again, I'm (clearly) not defending PlusNet and I do think there are many things they were not doing as well as they could. But the renewed interest and focus is already showing results, which has to be a good thing in the long term.
|
|
|
|
Bob, or Ian... or someone.
This isn't a dig or a whinge. It's great that this must requested change has finally be made. Well done.
But...
I'm still unsure of why the restriction was in place in the first place. It's clear that all backend systems (DSL platform login, webmail, email, portal systems, etc) all supported password which did not conform to the old restrictions. Many people had and used such passwords for a long time (yes, not a good thing from security standpoint but anyway). So, can someone answer why these restrictions put in place in the first place? And why the backend systems were happily coping with a mix of valid and apparently invalid passwords while the frontend system forced the restrictions upon people?
|
|
|
In reply to:
How come it's taken a security breach before anyone took security and so on sufficiently seriously?!?
Sorry, am I missing something?? In what way was the recent Security Breach due to the lack of Customers having Strong Passwords??
|
|
|
|
>Sorry, am I missing something?? In what way was the recent Security Breach due to the lack of Customers having Strong Passwords??
That post never said it was.
It refers to all security issues. Until the breach PN hadn't taken security as seriously as it is now doing.
|
|
|
personally im of the opinion that they would claim that it was secure anyway - even if it wasnt...
they would however need to let the data commisioner know of such a breach though if it occured.
its good that the password changes has been implemented (at last).
Edited by deleted (Tue 22-May-07 12:45:40)
|
|
|
|
Things like lack of SSL connections, poor password rules, etc are not themselves directly related to the recent breaches, but they are signs of how an organisation approaches security.
PlusNet have not taken certain security issues as seriously as they could have done and have constantly put off various suggested improvements using the excuse of lack of resources. Now, due to being somewhat caught out, they're focussing those resources and stuff is getting done.
Not an ideal way for positive change to come about, but at least it's coming about.
|
|
|
|
Heh, you may have a point. But if they'd managed to jump from a publicly accessible system thorugh to the closed internal workplace system hosted on entirely different systems it would have been a HUGE deal. That it wasn't doesn't of course directly lead to the conclusion that Workplace IS secure.
|
|
|
In reply to:
It refers to all security issues.
So why am I getting the impression that a lot of PN's recent advice is more about how the Customer's Passwords are easly cracked, rather than how their own internal systems got cracked!!
|
|
|
In reply to:
So many people ignore the effects of social impact of IT... you made life difficult and users simplify it.. you force long passwords they can't remember? they write them down or use the same one more often... you make them change it often? they'll write it down or use a predictable pattern
Can I also add that virtually every organisation/company/web-site expects you to have a Password (&/or PIN), so that it really does become impossible to remember them all!!
|
|
|
In reply to:
it is amazing how customers have been asking for a long time, and now all of a sudden because of the webmail breach there is a real flurry of activity to do these things
The same could be said about the Web-Mail interface itself!!
When it was introduced, even PN was unhappy with it & gave assurances that it would be rapidly replaced! Unfortunately, that "rapidly" was not rapid enough!!
|
|
|
|
True, advice has been about how customers can improve security when the real source of the problem was PlusNet's lack of security. It can look like passing the buck or a case of double standards. I think it's more a case of there having been a MAJOR wake-up call and suddenly all these people in PlusNet are taking security seriously (which despite protestations to the contrary, I don't believe they did before, certainly not as seriously as they should have). This has the knock-on effect that they start advising others.
To be honest it's only a good thing if customers are encouraged to take security seriously. As long as PlusNet don't pass the buck and are properly held accountable for their shortcomings. Hopefully they'll be honest about things when they finally get the report into the incidents out.
|
|
|
|
or that it isn't.
|
|
|
When applying those rules to employees, a company has the authority and the employees will 'suffer it'. I know of half a dozen folk near me who have recently aquired broadband (amazing when you think about it).
One is in his 70s.
Three are over 50.
One is a trademan in his 40s.
The other is in his 20s.
Only the latter appreciates decent security, and that's just because he's been exposed to college IT systems and the usual risks therein. I agree completely with the sentiment that users should have a password policy approach, but it's not realistic for many, and if I cast myself back to when I first used the web, if an ISp stated that a password should be 12 characters, must be varied case etc, I'd be wondering why, considering I didn't use banking or online shopping or the like.
Perhaps those who do should get a heads-up once in a while. Like I said occasional reminders, and over time the minimum criteria can be turned up.
|
|
|
this time round! im still not 100% convinced that workplace is 100% totally seperate. im still not 100% convinced that plusnet may or may not have other security issues. I would also imagine there is external access to workplace..
Edited by deleted (Tue 22-May-07 13:58:09)
|
|
|
In reply to:
im still not 100% convinced that workplace is 100% totally seperate.
It's separate webserver(s), with separate database(s) from webmail. Yes - there's probably a route from one to the other via various switches/routers/firewalls etc. but that's the nature of the Internet
In reply to:
I would also imagine there is external access to workplace.
IP-Restricted to known static IPs and SSL traffic only last time I heard ... may not even be that anymore ...
|
|
|
|
Ahh so they do employ SSL for that.
But they don't deem it necessary to allow SSL for e-mail transactions and instead are happy to have customers usernames and passwords passed in the clear whenever they send or receive e-mail. That's a big thing I've been bleating on about for years now. No sign of it actually being changed though.
|
|
|
wasnt webmail i was referring to.
In reply to:
IP-Restricted to known static IPs and SSL traffic only last time I heard ... may not even be that anymore ...
doesnt seem like much "security" to me. only takes a compromise of the webserver platform software.
|
|
|
In reply to:
wasn't webmail i was referring to.
Well what then?
In reply to:
doesnt seem like much "security" to me. only takes a compromise of the webserver platform software.
Well yes - but that's the same for virtually every business online then - what were you expecting??
[I've left out its about non-http/https ports being blocked/firewalls etc. which they probably also have - I was just commenting on the "external access to Workplace" bit of your original post]
|
|
|
other security related issues.
In reply to:
Well yes - but that's the same for virtually every business online then - what were you expecting??
i was expecting an ISP as big as plusnet to use VPN or something similar and keep it on an internal network only.
|
|
|
|
using a VPN isn't keeping it on an internal network only .... it's just a different form of encryption ....
|
|
|
|
perhaps not, but its better than leaving widely exposed apache server. VPN + totally firewalled off except to allowed client nodes is the way to go.
|
|
|
In reply to:
widely exposed apache server.
I did say it was IP-restricted ... hardly "widely exposed" now is it [Presuming they keep the access lists up-to-date etc. etc.
|
|
|
FYI, The IP access list was removed ages ago (I can't remember when, but I got issued a VPN one time password keyfob thang shortly after I started back at PlusNet). For access to workplace, you have to be on our network, connected via VPN. As it happens, one of my tasks over the last few months has been working on the feasibility of reselling the cryptocard managed solution we use for workplace to our customers, although it hasn't really gone anywhere as of yet due to other priorities.
IMO the problem here isn't that we don't take security seriously across the board, but we certainly didn't take the security of the existing webmail platform seriously enough, perhaps because we were too busy planning to replace it - lets wait to see what tomorrows report brings before we discuss this element further though.
Out of interest hotblack, which ISPs do offer SSL based email / FTP as standard? I agree it's a good idea, especially for us now, but I don't think it's standard for an ISP to provide these is it?
Ian
|
|
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
|
|
|
In reply to:
FYI, The IP access list was removed ages ago (I can't remember when, but I got issued a VPN one time password keyfob thang shortly after I started back at PlusNet). For access to workplace, you have to be on our network, connected via VPN.
Well - there you go then ...
|
|
|
|
If we're talking ISP's then Nildram certainly do. Beyond that I use GMail and they have SSL on web, POP3 and SMTP. SSL is pretty standard these days for serious email providers. As people often use the same details for their account as their email with PlusNet it's even more reason to not have it passed in the clear. It could easily give anyone access to someone's account.
This has been asked for dozens of times over the years and I know I've had lengthy discussion on various PlusNet forums about it. But every time it gets knocked back.
As an aside, some of the instructions for setting up email clients shown on the portal even show turning on SSL as one of the steps.
|
|
|
it should be firewalled off totally so that a connection attempt cannot even get through. if an index site such as netcraft can get to it, im assuming a normal connection attempt can.
Edited by deleted (Wed 23-May-07 01:42:27)
|
|
|
In reply to:
Out of interest hotblack, which ISPs do offer SSL based email / FTP as standard? I agree it's a good idea, especially for us now, but I don't think it's standard for an ISP to provide these is it?
ukfsn perhaps? i dunno about isps, but its certainly been common practice within the half-decent webhosts to do just that for a long time.
|
|
|
oh really?
http://toolbar.netcraft.com/site_report?url=http://workplace.plus.net
or how about this one:
http://toolbar.netcraft.com/site_report?url=http://faults.workplace.plus.net
if the above is the case why is netcraft still reporting services running on these systems? shouldnt they be removed if they are no longer used?
...
Edited by deleted (Wed 23-May-07 01:47:30)
|
|
|
Just bumping these questions as I think they're important.
Good to see the changes now in place and working though  I've just been able to change my password without gimping it.
|