Virgin Media (UK) stores passwords in plain text, sends them through the mail

182 点作者 molenzwiebel将近 6 年前

15 条评论

wutbrodo将近 6 年前

I learned a long time ago that the default assumption for non-tech-first companies should be deep, deep incompetence, below the level of an undergrad with a decent CS degree, when it comes to basic security practice. Even having your system be Incredibly Important isn't enough to force basic competence: there were plenty of government and bank systems through the 2000s that were apparently designed and maintained by high school kids (looking at you Citibank).By 2019, a lot of the industries running more critical systems like finance have figured out that you should take your tech seriously (and it only took them twenty years to figure it out...) ,but it's still a pretty good baseline assumption.

评论 #20726259 未加载

LeoPanthera将近 6 年前

Virgin Media is an ISP, for those who don't know.Perhaps more shockingly, they have a maximum password length of 10 characters, and the first character must be a letter.<a href="https://twitter.com/Joshwright10/status/1162811048359014400" rel="nofollow">https://twitter.com/Joshwright10/status/1162811048359014400</a>

评论 #20728697 未加载

评论 #20726236 未加载

评论 #20726077 未加载

评论 #20728826 未加载

评论 #20728723 未加载

jayflux将近 6 年前

I get everyone replying to virgins Twitter account in disgust, but let’s be honest, the person on the other end of that most likely won’t be technical, nor will there be much chance of them relaying it on. They will reply then go home for the day.This is where things like <a href="https://securitytxt.org/" rel="nofollow">https://securitytxt.org/</a> are important. Being able to go through to the team or person who knows what’s going on. But then again, if a company stores plain text passwords they most likely won’t have security.txt

评论 #20726966 未加载

评论 #20727455 未加载

评论 #20728659 未加载

评论 #20728432 未加载

shakna将近 6 年前

> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS (@virginmedia)> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.They really haven't met even the spirit of:> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.[0] <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/" rel="nofollow">https://ico.org.uk/for-organisations/guide-to-data-protectio...</a>

评论 #20725971 未加载

评论 #20726015 未加载

heffebaycay将近 6 年前

From 2015: "Virgin Media stores user passwords in plaintext?" <a href="https://news.ycombinator.com/item?id=9492006" rel="nofollow">https://news.ycombinator.com/item?id=9492006</a>

评论 #20727078 未加载

5h将近 6 年前

This is the same bunch of clowns who MITM you even after disabling their porn-filter, and the "fix" is to install their root cert.

rvz将近 6 年前

Right now in 2019, companies in the UK who somehow now think that they are 'tech companies' have this attitude when it comes to security. I met one company that recently got funding in the UK that deals with personal insurance and asked them if they write tests and they responded that they don't have tests, because they have no time to write any. In this case, that is like not having a security audit because we don't want anyone knowing the secret sauce.Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and these systems don't get updated in a while until it is too late.> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGSI can't trust Virgin to mail me anything sensitive then as the person who sent these details could have just seen it and wrote it down beforehand. That is too much of a risk to trust anyone and call that secure, even if it is illegal to open someone else's mail.Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.

noodlesUK将近 6 年前

How is it that ISPs are always such awful organisations? I understand that their user base isn’t particularly technical, but there’s no excuse for this sort of public stupidity.

评论 #20728684 未加载

thraxil将近 6 年前

When you have a problem and call support, they do the "please enter the 4th digit of your account password" thing to verify you (further evidence that they store it in plaintext). This is particularly fun since my password is only in a password manager, which, if my service is offline, I can't access. So whenever my internet goes out, calling VM support to get them to fix it involves an extra 15 minutes of me arguing with them.

评论 #20729456 未加载

LIV2将近 6 年前

I’m a bit rusty and could be wrong but doesn’t MSCHAPv2/CHAP require knowledge of the plaintext password on the server side? I think that makes it required to be stored plaintext for any PPP connection and thus most if not all ISPs would be storing plaintext passwords

amiga-workbench将近 6 年前

UCAS used to do a similar thing. I really hope they have fixed this since. <a href="https://i.imgur.com/H2gADSX.png" rel="nofollow">https://i.imgur.com/H2gADSX.png</a>

评论 #20726052 未加载

mlmartin将近 6 年前

Virgin media have a 'memorable word' that you quote to the phone agents as a proof that it's you talking to them. It's not the password to the online account and it's only one of a few bits of info you get asked to prove you are the account holder.I think this is what is being talked about. Not the actual account 'password'.

评论 #20726389 未加载

tastroder将近 6 年前

Don't think this was posted yet, they doubled down on this:<a href="https://mobile.twitter.com/VirginMediaIE/status/1163441193541414912" rel="nofollow">https://mobile.twitter.com/VirginMediaIE/status/116344119354...</a>

alex_duf将近 6 年前

Unfortunately Plusnet does the same

thecleaner将近 6 年前

Does anyone else think the Virgin group companies are really bad and are simply baded on good marketing ? My read on Branson himself is that he's DT with actual billions.

评论 #20729097 未加载

评论 #20726721 未加载