Vox client portal password storage

wrathdelivery

Active Member
Joined
Aug 7, 2006
Messages
52
Reaction score
8
Location
Cape Town
I noticed that Vox client portal is not hashing passwords. I know this because requesting your password via the "forgot my password" feature emails you your existing password in the clear. Furthermore, individual service passwords (such as ADSL etc) are also shown in the clear in the portal.

This is obviously a fairly bad security design as anyone that obtains physical access to the password file or database can see everyone's passwords.

Anyone using their system should be sure to use a UNIQUE password and not reuse a password from any other service they use as a minimum to mitigate this weakness.

Vox, please address this security issue. I know it costs money, but when you get hacked and a clear text password database gets posted online the cost to your brand will be bigger.

ALL passwords should be stored hashed using a proper password-grade hashing algorithm. No system should EVER be able to show you a clear text version of your existing password and should ALWAYS use a reset mechanism to a NEW password should you forget your password.
 
To be fair, I'm sure most password thieves aren't interesting in anyone that small tho - they're after the big web-scale fish :)
 
And these guys want to sell you security solutions - LOL. They probably think salting is only used for cooking
 
To be fair, I'm sure most password thieves aren't interesting in anyone that small tho - they're after the big web-scale fish :)

Thats what people said when they didn't install Windows patches for MS17-010 and WannaCry came out...
 
To be fair, I'm sure most password thieves aren't interesting in anyone that small tho - they're after the big web-scale fish :)

Yeah. Of course no one uses the same password for all their stuff, so this would be a worthless haul. Oh. Wait.....
 
Afrihost, you see your ADSL account password. Not a problem to me.

OP referring to client portal creds specifically. A few of these client portals have PII. If your DSL password gets stolen\used it's easy to rectify vs stolen PII. Doesn't the AH portal store a copy of your ID?
 
ALL passwords should be stored hashed using a proper password-grade hashing algorithm.

This will not solve the problem entirely, because a hashed password file can be made to reveal 90% of cleartext passwords using rainbow tables. To prevent this from happening, the administrator needs to add a cryptographic salt to hashes.
 
Top
Sign up to the MyBroadband newsletter
X