"Posting [your plain text password] to you is secure, as it's illegal to open someone else's mail"

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,385
Apparently this is the case according to Virgin Media, one of the biggest telecoms and broadband providers in the UK.

Errr, what?! Anyone care to comment on if they think there's any truth to this statement or not?

This is ludicrous, right?

I guess the fact that they have the password in plain text and the ability to print and post it to you makes this insane as they should always be hashed, salted and peppered?

1yhu9kjea2h31.png


 
Last edited:

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,962
The most insane is the plain text storage of passwords. If they cant even secure a password, then how are they capable to secure your private or corporate conversations and other data? This is just another Yahoo! hack waiting to happen. It seems to me that its a breach of GDPR to store passwords and other private data in plain text.
 

haqzore

Devotee
Joined
Dec 6, 2012
Messages
2,317
I mean... Their logic is correct.

But that doesn't answer the "why". Why would they do this? Why would they allow whatever system they use to do this? Why expose themselves & their customers to that much more risk by not hashing/etc.

It's a bit short sighted.

As far as bank PINs, in my experience, you're encouraged to change it once you receive it in the mail.
 

Ingenious

Fan
Joined
May 4, 2011
Messages
763
By posting I think you mean by snail mail? I would be fairly happy with that as a way to reset/remember it, after all, it's how credit cards, pin numbers, bank statements and the likes have been sent since the dawn of man. In this case it's being sent to the registered account holder and only them.

It does raise questions about it being stored in plain text though, what if the system is hacked? And to say it's secure as it's illegal to open someone else's mail is daft, that's like me saying that walking down the road waving wads of bank notes is secure as it's illegal to mug me.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,927
Sending passwords in the post is considered secure in the UK.
Its used by banks and many other companies to send passwords and PINs.

Keeping the p/w on their system in plain text seems a bit questionable though.
I dont know if their internal systems are connected to the public net, but even so, its still poor.
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,075
Being able to give someone their password does not necessarily mean it's being stored plaintext. It could also be using two-way encryption instead of one way. Each employee has their individual key, which unlocks a record which contains the common key which opens the password vault.

PGP, HTTPS and SSH are examples of two-way encryption systems.
 

cheat_master30

Moderator
Joined
Jan 16, 2010
Messages
3,853
Using two way encryption is still seen as a bad idea where password storage is concerned though.
 

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
690
Being able to give someone their password does not necessarily mean it's being stored plaintext. It could also be using two-way encryption instead of one way. Each employee has their individual key, which unlocks a record which contains the common key which opens the password vault.

PGP, HTTPS and SSH are examples of two-way encryption systems.
Adobe stored their passwords with DES (two-way encryption), but people still managed to crack most of them. It's a really, really bad security practice, not to mention, that if you are going to use two-way encryption, then you should at-least use a stronger algorithm like AES.

If it's properly hashed, someone has to attack each one individually and waste countless cycles on every possible combination that the password might be.

If it's hashed but not salted or encrypted, then they can attack all of the passwords simultaneously as they use the same encryption key.

Don't get me started on bank pins which are four digit numbers and can easily be brute forced, even without this drama.
 
Last edited:

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,075
I was not saying two-way encryption is foolproof (nor are one-way hashes). What I am saying is that it's a fallacy to assume they stored it plaintext and automatically assume it's insecure. Likewise, using one-way hashes doesn't mean it's secure either.

Two-way encryption is quite common with highly secure data (governments would not be able to decrypt their own secrets if they didn't have two-way). Its all in the implementation.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,864
bank pins which are four digit numbers and can easily be brute forced,
Unfortunately for me, they are not that easily brute forced.
I wanted to withdraw some money from an ATM and it took away my card from me because I put the wrong PIN 3 times.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,446
I would ask if the lock the doors of their homes by the same logic you can not enter a home unless you have permission. But yet we lock them because shady people do not conform to the law.
 
Top