[OT] Security question

[Frank Millman]

Hi all

This is off-topic, but I would appreciate a comment on this matter.

I have just upgraded my internet connection from ADSL to Fibre.

As part of the process, my ISP sent a text message to my cell phone with the
username and password I must use to connect.

To my surprise, they sent me my existing username *and* my existing
password, all in clear text.

I felt that this was insecure, so I sent them an email querying this and
querying why they had my password in clear text on their system in the first
place.

This was their reply -

"""
Thank you for taking the time to contact [...] Technical Mail Support.
I understand the importance of your password inquiry and will gladly assist.
Please note our Password protocols are secured via OTP.
This means nobody else can register or request your password as it will only
be sent to the cellphone number we have registered for the OTP service on
our side.
If somebody else requests a reminder of the password, it will be sent to
your cellphone as your number is registered for the OTP service.
I hope this clarifies the matter.
"""

They did not comment on the second part of my query.

Does their reply sound reasonable, or are my concerns valid?

Thanks

Frank Millman

[Chris Angelico]

On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <fr...@chagford.com> wrote:
> To my surprise, they sent me my existing username *and* my existing
> password, all in clear text.
>
> """

> Thank you for taking the time to contact [...] Technical Mail Support.
> I understand the importance of your password inquiry and will gladly assist.
> Please note our Password protocols are secured via OTP.
> This means nobody else can register or request your password as it will only
> be sent to the cellphone number we have registered for the OTP service on
> our side.
> If somebody else requests a reminder of the password, it will be sent to
> your cellphone as your number is registered for the OTP service.
> I hope this clarifies the matter.
> """
>
> They did not comment on the second part of my query.
>
> Does their reply sound reasonable, or are my concerns valid?

Your concerns are entirely valid. Somehow, the information of your
password got sent to you, which means that anyone who can "reach in"
at some point between where it's stored and where it's sent can leech
everyone's passwords. Game over.

If they were sending you a *new* password ("we have generated this
password, please log in and change it"), then it would be entirely
acceptable - a mobile phone text message is a decent out-of-band way
to deliver that kind of information. But to have your existing
password? No sir, no thank you, I will have none of that.

Name and shame the ISP. This kind of thing is insidious (because
usually nobody will know until it's way, WAY too late) and extremely
dangerous. Call them out on it.

ChrisA

[Frank Millman]

"Chris Angelico" wrote in message
news:CAPTjJmoQK39EU=M3w1zr8Xa7MYv42KYN...@mail.gmail.com...

>
> On Thu, Dec 22, 2016 at 8:39 PM, Frank Millman <fr...@chagford.com> wrote:
> > To my surprise, they sent me my existing username *and* my existing
> > password, all in clear text.
> >
>

> Your concerns are entirely valid. Somehow, the information of your
> password got sent to you, which means that anyone who can "reach in"
> at some point between where it's stored and where it's sent can leech
> everyone's passwords. Game over.
>
> If they were sending you a *new* password ("we have generated this
> password, please log in and change it"), then it would be entirely
> acceptable - a mobile phone text message is a decent out-of-band way
> to deliver that kind of information. But to have your existing
> password? No sir, no thank you, I will have none of that.
>
> Name and shame the ISP. This kind of thing is insidious (because
> usually nobody will know until it's way, WAY too late) and extremely
> dangerous. Call them out on it.
>

Thanks, Chris, good to know I am not going mad!

What about the second part of my query? Is it acceptable that they keep
passwords on their system in clear text?

>From my first encounter with Unix over 30 years ago I was impressed with the
fact that no passwords are stored in clear text. Even with my own little
accounting system, I only store the SHA-1 hash of the password. I cannot
imagine why anyone would think that this is a good idea.

The ISP is MWEB, one of the biggest service providers in South Africa, with
(I guess) millions of users.

If this is the standard of security out there, it is no wonder we hear of so
many attacks (and how many don't we hear of?)

Frank

[Chris Angelico]

On Thu, Dec 22, 2016 at 9:10 PM, Frank Millman <fr...@chagford.com> wrote:
> What about the second part of my query? Is it acceptable that they keep
> passwords on their system in clear text?

Well no, absolutely not. I referred to "decrypting" the password,
which is all you can actually be certain of here - they may well be
storing the passwords in an encrypted form, but it can be decrypted.

> From my first encounter with Unix over 30 years ago I was impressed with the
> fact that no passwords are stored in clear text. Even with my own little
> accounting system, I only store the SHA-1 hash of the password. I cannot
> imagine why anyone would think that this is a good idea.

>From worst to best, here's some ways you can store passwords:

1) Clear text. If anyone even just glances at your database, it's game
over in one shot.
2) Reversibly encrypted. If someone gets your database, s/he can
decrypt the contents, but accidentally flashing a long string of
nonsense won't instantly reveal everything.
3) Encrypted with a key. To decode all the passwords, you would need
additional information. That might come from the code, or from
environment variables, or something, but you would need to attack
something other than the database to completely decrypt people's
passwords.
4) Unsalted hashes. Instead of storing "password", you store
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8". Can be broken with rainbow
tables (or for common passwords, just Google the thing).
5) Hashes salted with something predictable or calculable. Maybe you
hash username+"blargh"+password, or something. Means the hashes don't
look the same even for the same password.
6) Hashes salted with arbitrary data that then gets stored alongside
the password.

Any of the first three could give the phenomenon you describe. And
while the security is better on #3, it's still entirely vulnerable to
the "disgruntled employee" attack (someone on the inside with complete
information about the system).

The last three all look similar in the database, but #4 is vulnerable
to XKCD 1286 attacks, and even #5 has its vulnerabilities (for
instance, setting your password to the same thing as it's previously
been will set the hash to the same value). I would recommend the use
of #6, but if someone's using #5, I wouldn't hate on them too hard -
that's pretty secure.

> The ISP is MWEB, one of the biggest service providers in South Africa, with
> (I guess) millions of users.

Thanks. MWEB, listen up: you are betraying your users' trust. A data
breach could cost you dearly. Act *now*, before there is actually a
breach, and go and hash all your passwords. And, of course, change
your systems so you never need to send people their passwords.

> If this is the standard of security out there, it is no wonder we hear of so
> many attacks (and how many don't we hear of?)

There are definitely a lot of nasty attacks out there, but these days,
the most dangerous attacks are the social ones. It doesn't matter how
good your password policy is if people will click on links in spam
email and type their passwords into imitation login screens. It
doesn't matter how well you salt your passwords if people write them
down in insecure scribble pads. It makes no difference what you do on
the back end if your users sign up for new services and use the same
email address and password on them all. But here's the thing: social
attacks are under the control of the individual user; database attacks
are under the control of the central service. MWEB is responsible for
what they do with their users' passwords, even if some of those users
are vulnerable elsewhere.

ChrisA

[Frank Millman]

"Chris Angelico" wrote in message

news:CAPTjJmrG+1==NmOXF6CU2PttgCYKGZ_...@mail.gmail.com...

>
> On Thu, Dec 22, 2016 at 9:10 PM, Frank Millman <fr...@chagford.com> wrote:
> > What about the second part of my query? Is it acceptable that they keep
> > passwords on their system in clear text?
>
> Well no, absolutely not. I referred to "decrypting" the password,
> which is all you can actually be certain of here - they may well be
> storing the passwords in an encrypted form, but it can be decrypted.
>

[snip much fascinating info]

Thanks for all the info, Chris.

This is clearly a subject you feel strongly about!

Much appreciated.

Frank

[Chris Angelico]

On Thu, Dec 22, 2016 at 10:10 PM, Frank Millman <fr...@chagford.com> wrote:
> Thanks for all the info, Chris.
>
> This is clearly a subject you feel strongly about!
>
> Much appreciated.

It is - partly because I've been guilty of poor password security in
the past. I speak with the voice of someone who has sighted horrors in
his future and escaped by sheer luck (nobody actually leeched my
database... that I know of, at least). My systems were much smaller
and less serious than an ISP's.

ChrisA

[Rich Osman]

Chris,

I compliment you on your succint and accurate summary of the issue.

Sounds like Frank's ISP is aspiring to be the next Yahoo...

On December 22, 2016 4:33:52 AM CST, Chris Angelico <ros...@gmail.com> wrote:
>On Thu, Dec 22, 2016 at 9:10 PM, Frank Millman <fr...@chagford.com>
>wrote:

>> What about the second part of my query? Is it acceptable that they
>keep
>> passwords on their system in clear text?
>
>Well no, absolutely not. I referred to "decrypting" the password,
>which is all you can actually be certain of here - they may well be
>storing the passwords in an encrypted form, but it can be decrypted.
>

>--
>https://mail.python.org/mailman/listinfo/python-list

--
mailto:o...@ozindfw.net
Oz
POB 93167
Southlake, TX 76092 (Near DFW Airport

[Peter Pearson]

On Thu, 22 Dec 2016 12:10:40 +0200, Frank Millman <fr...@chagford.com> wrote:
[snip]

>
> What about the second part of my query? Is it acceptable that they keep
> passwords on their system in clear text?

Absolutely not. Keeping the passwords, even encrypted, is a reckless
invitation to disaster.

Chris has done a fine job of explaining the situation; I'm just piling
on (as a retired cryptologist) to add statistical weight to your survey.

--
To email me, substitute nowhere->runbox, invalid->com.

[Steve D'Aprano]

On Thu, 22 Dec 2016 09:10 pm, Frank Millman wrote:

> If this is the standard of security out there, it is no wonder we hear of
> so many attacks (and how many don't we hear of?)

Everything is broken:

https://medium.com/message/everything-is-broken-81e5f33a24e1




--
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.

[Anssi Saari]

"Frank Millman" <fr...@chagford.com> writes:

> Hi all
>
> This is off-topic, but I would appreciate a comment on this matter.
>
> I have just upgraded my internet connection from ADSL to Fibre.
>
> As part of the process, my ISP sent a text message to my cell phone
> with the username and password I must use to connect.
>

> To my surprise, they sent me my existing username *and* my existing
> password, all in clear text.

I'd say it depends on what the password is actually used for. You seem
to indicate it's just so you can access the internet? To me it seems
abusing that password is hard to impossible since it's your fibre to
your home. If the password is used for access control for anything then
it's an awful practise.

In my case, I have one password for the email account my ISP provides
and another for their web management pages where I can buy more or get
rid of services and see my bills and such.

[Marko Rauhamaa]

Anssi Saari <a...@sci.fi>:

> "Frank Millman" <fr...@chagford.com> writes:
>> To my surprise, they sent me my existing username *and* my existing
>> password, all in clear text.
>
> I'd say it depends on what the password is actually used for. You seem
> to indicate it's just so you can access the internet? To me it seems
> abusing that password is hard to impossible since it's your fibre to
> your home. If the password is used for access control for anything
> then it's an awful practise.

The message to take home is that whenever you are faced with a password
prompt, the recipient can do with the password whatever they want. You
should assume the worst. The password will be stored in the clear and
all employees of the recipient have free access to it. Also, there's a
high likelihood that the credentials will leak outside the organization.


Marko

[Chris Angelico]

On Fri, Dec 30, 2016 at 10:47 PM, Anssi Saari <a...@sci.fi> wrote:
> I'd say it depends on what the password is actually used for. You seem
> to indicate it's just so you can access the internet? To me it seems
> abusing that password is hard to impossible since it's your fibre to
> your home. If the password is used for access control for anything then
> it's an awful practise.

"Just" so he can access the internet? That's no small deal. If someone
else can sign in with the same password, s/he can do any sort of abuse
and it'll be registered to someone else. What spammer wouldn't jump at
the chance to blame someone else for the traffic?

ChrisA

[Marko Rauhamaa]

Chris Angelico <ros...@gmail.com>:

That's called plausible deniability.


Marko