"Posting [your plain text password] to you is secure, as it's illegal to open someone else's mail"

Discussion in 'Site Security & Legal Issues' started by R0binHood, Aug 17, 2019.

  1. R0binHood

    R0binHood Habitué

    Apparently this is the case according to Virgin Media, one of the biggest telecoms and broadband providers in the UK.

    Errr, what?! Anyone care to comment on if they think there's any truth to this statement or not?

    This is ludicrous, right?

    I guess the fact that they have the password in plain text and the ability to print and post it to you makes this insane as they should always be hashed, salted and peppered?


    Last edited: Aug 17, 2019
  2. Alfa1

    Alfa1 Administrator

    The most insane is the plain text storage of passwords. If they cant even secure a password, then how are they capable to secure your private or corporate conversations and other data? This is just another Yahoo! hack waiting to happen. It seems to me that its a breach of GDPR to store passwords and other private data in plain text.
  3. haqzore

    haqzore Devotee

    I mean... Their logic is correct.

    But that doesn't answer the "why". Why would they do this? Why would they allow whatever system they use to do this? Why expose themselves & their customers to that much more risk by not hashing/etc.

    It's a bit short sighted.

    As far as bank PINs, in my experience, you're encouraged to change it once you receive it in the mail.
  4. Ingenious

    Ingenious Fan

    By posting I think you mean by snail mail? I would be fairly happy with that as a way to reset/remember it, after all, it's how credit cards, pin numbers, bank statements and the likes have been sent since the dawn of man. In this case it's being sent to the registered account holder and only them.

    It does raise questions about it being stored in plain text though, what if the system is hacked? And to say it's secure as it's illegal to open someone else's mail is daft, that's like me saying that walking down the road waving wads of bank notes is secure as it's illegal to mug me.
  5. Paul M

    Paul M Limeade Addict

    Sending passwords in the post is considered secure in the UK.
    Its used by banks and many other companies to send passwords and PINs.

    Keeping the p/w on their system in plain text seems a bit questionable though.
    I dont know if their internal systems are connected to the public net, but even so, its still poor.
  6. mysiteguy

    mysiteguy Administrator

    Being able to give someone their password does not necessarily mean it's being stored plaintext. It could also be using two-way encryption instead of one way. Each employee has their individual key, which unlocks a record which contains the common key which opens the password vault.

    PGP, HTTPS and SSH are examples of two-way encryption systems.
  7. cheat_master30

    cheat_master30 Moderator

    Using two way encryption is still seen as a bad idea where password storage is concerned though.
  8. MagicalAzareal

    MagicalAzareal Magical Developer

    Adobe stored their passwords with DES (two-way encryption), but people still managed to crack most of them. It's a really, really bad security practice, not to mention, that if you are going to use two-way encryption, then you should at-least use a stronger algorithm like AES.

    If it's properly hashed, someone has to attack each one individually and waste countless cycles on every possible combination that the password might be.

    If it's hashed but not salted or encrypted, then they can attack all of the passwords simultaneously as they use the same encryption key.

    Don't get me started on bank pins which are four digit numbers and can easily be brute forced, even without this drama.
    Last edited: Aug 18, 2019
  9. mysiteguy

    mysiteguy Administrator

    I was not saying two-way encryption is foolproof (nor are one-way hashes). What I am saying is that it's a fallacy to assume they stored it plaintext and automatically assume it's insecure. Likewise, using one-way hashes doesn't mean it's secure either.

    Two-way encryption is quite common with highly secure data (governments would not be able to decrypt their own secrets if they didn't have two-way). Its all in the implementation.
  10. doubt

    doubt Tazmanian

    Unfortunately for me, they are not that easily brute forced.
    I wanted to withdraw some money from an ATM and it took away my card from me because I put the wrong PIN 3 times.
  11. we_are_borg

    we_are_borg Administrator

    I would ask if the lock the doors of their homes by the same logic you can not enter a home unless you have permission. But yet we lock them because shady people do not conform to the law.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.