I think the pitchforks may have been lit a bit early here. The password all support staff can see is for phone verification, and is completely separate from the online log in password [0]<p>However, Virgin don't seem to have clarified if and how the online log in password is hashed.<p>[0] -<a href="https://virginmedia.response.lithium.com/portal/conversation/3957067" rel="nofollow">https://virginmedia.response.lithium.com/portal/conversation...</a>
So in short:<p><pre><code> - They're doing things correctly
- They ask for a code over the phone to verify your account
- Their Twitter guy refers to this as a "password"
- Nobody reads anything on the internet, therefore everybody is concerned and fighty.
</code></pre>
There's no indication of how <i>passwords</i> are actually stored. This is all about the passphrase you tell the guy on the phone so that he can verify your account. It seems reasonable that that guy would need to be able to see that word on a screen so that he can compare it to what you say.<p>Still, it's good that people are still really angry about this, 23 hours after their support guy explained what's going on.
Seems like we've moved from calling out companies for long standing bad practises to some kind of tribal behaviour where people are almost looking for a reason to call a company out for "bad security."<p>Let me be clear: Phone passwords are superior to phone pins, phone secret question/answers are superior to both, and the agent needs to be able to verify the secret question/answer set, and also the password. You CAN design it so the agent cannot see the whole password, but that means the agent cannot use common sense to account for differences in spelling, or interpretation e.g. "to" as 2, to, two, and too (plus "the third digit of your password" is hard for humans, we aren't designed that way).<p>People saying things like: "an agent cannot be trusted!" Are missing the point, that the entire system is built on agent trust. When you call you're purposely giving this agent access to your account, making the password useless, there's no proof they logged off when you hang up, there's also no proof that they aren't writing down your responses and will then relay it to another agent later.<p>A lot of people who whine about plain text in particular don't really seem to understand what it is that hashing even does. They seem to think things like: "if you get hacked, someone cannot steal passwords" (nope) or "then someone cannot sniff your password over free wifi" (nope). All hashing does is add time between the hack, and when the hacker can start using the stolen credentials, that's it. It is there to give the company time to detect the leak and to notify/reset, if the company fails to detect then it has done absolutely nothing of worth.<p>To be honest I find "HTTP offenders" (e.g. HTTP web-sites that redirect to HTTPS login forms, essentially breaking HTTPS's MitM protections) far worse than "plain text offenders." But none of this has anything to do with calling out security issues at this point. A bunch of people who don't seem to understand the technicals here feel like they're doing "good" by calling out companies for things that don't even make sense.
Is this actually a password or something closer to a PIN? I don't know that there's anything wrong with not cryptographically mangling a PIN since there are so few combinations in the first place. I think the SOP in most cases (my bank, for one) is to use multiple forms of ID verification (last 4 of social, birthday, and PIN, e.g.).<p>Whoever runs their twitter also later claims that this account password is different than their online password, which seems to support that it's more of a PIN than global password. I'm not a Virgin employee or customer though, so I'm not sure if this is the case or not.
So, it seems this only applies to the phone verification password and not the online account password. Can someone explain to me what the better alternatives are for phone verification? Is punching in a PIN considerably better? Banks ask for last 4 of social, which I don't think is something I would give anyone besides a bank.<p>Virgin's hardly the only one doing this. ADT reps ask for a password when verifying an alarm. At least its better than just asking for your name and address.
This is an international thing - I'm with Virgin Mobile in Australia and the "Forgot Password" button sends me my password in plain text (which is, even better, only allowed to be numbers, and only 6 of them! Guessing 10^6 numbers doesn't take long)<p>This is known since at least 2013: <a href="http://www.kitguru.net/gaming/security-software/jon-martindale/virgin-media-stores-phone-authentication-passwords-in-plaintext/" rel="nofollow">http://www.kitguru.net/gaming/security-software/jon-martinda...</a><p>Edit: Others are saying this is for the "phone verification password", but my password is to log into the online account to pay my phone bill.
"Administrators and/or customer service reps need to be able to see passwords for XYZ purposes" is a relative common requirement even nowadays, especially if those requirements were drawn up by non-technical people.<p>One part of me wishes that the governments of the world would just outlaw this kind of idiocy. On the other hand, I'm not sure if I'd like that much regulation. I certainly wouldn't want to be a developer in a world where I can get sued for using a non-NIST-approved algorithm or something.<p>Fortunately, "PCI-DSS" seems to be the magic word that can developers can use to beat sense into people's heads most of the time.
I have a Virgin Media account authorisation password to identify myself as an account manager over the phone. Has nothing to do with any online login system.
Incidentally, I just found out yesterday that Straight Talk (AT&T MVNO) keeps their <i>online</i> passwords in plaintext. Restoring your password actually sends you the password by email.<p>I'm glad I never reuse a password.