30

I just phoned the customer support number for my ISP for the first time and was surprised to be asked the fourth and fifth characters of my password, specifically the one I used to log into my account on their website, not a special password for use over the phone. The fact that they know what the fourth and fifth characters are shows that they are not hashing the password.

I believe the GDPR requires them to store the password securely, and if they're not hashing it then I'm sure it can't be considered secure, so should I report them to someone?

The only thing that makes me think this might be acceptable is that it's common for organisations to ask for certain characters of a password over the phone. I think they normally set up a different password specifically for this though, rather than using the website login.

fluidj
  • 419
  • 4
  • 6

4 Answers4

29

The GDPR does indeed require that the password be stored "securely". It does not specify the technology which must be used for that purpose. Hashing the PW is a common method, and should be sufficient if properly implemented (strong hash function, use of salt, etc). But other methods of securing the password might be sufficient. Encrypting the PW rather than hashing it, so that an authorized person could decrypt it temporarily might be OK. Or perhaps a security app can separately retrieve only the specified characters of the PW through some sort of encryption. Or perhaps the ISP is not using proper security. In the case of Knuddles in the linked news story, an actual breach occurred which led to the poor security being reported.

You could send a report to the appropriate national Data Protection Authority.

David Siegel
  • 115,406
  • 10
  • 215
  • 408
14

Well, you may be right (probably), yet then again, you may be wrong...

As David Siegel mentioned, they may have encrypted the password and have authorized support personal decrypting them up-on support calls for authentication purposes...

What you can do is to submit a Data Subject Access Request focused on your Password and HOW they handle it in a secure manner... plainly explain this same doubt that you have posted and ask for them to explain to you HOW do they ensure the Security of your Data, namely the password (in a manner that they are not forced to disclose any "business secrets") but you are still comfortable and reassured with the feedback.

If the answer is "far from satisfactory" use their feedback along with your initial query to compile and submit a structured complaint to your Supervisory Authority so they may be "audited".

Rui Freitas Serrano
  • 554
  • 3
  • 9
2

It's possible that they're storing a hash of the entire password, and in addition storing a hash of just characters 4-5. If they always ask for the same two characters when you call in, this is more likely.

The 4-5 hash is a small security vulnerability, since it would be much easier to crack than full passwords, and then that can be used to reduce the amount of work needed to crack the corresponding full password. Or if someone cracks the small hash, they could call into customer support, convince the rep that they're you, and potentially get them to reset the main password (tech support generally needs to be able to do this if the customer forgets their password and also loses access to the email address used to reset it).

Barmar
  • 8,504
  • 1
  • 27
  • 57
1

Focusing on the actual problem, your ISP needs to have a way to authenticate its customers (a 'password') when they phone customer support. This means that such password needs to be told to the support agent. Of course, it would be a bad idea to tell them your password, so apparently they decided to setup their system such as:

  • Store the password unhashed internally
  • Their agents can't view your password¹
  • Their support software does have access to the plaintext password, and ask for a couple of characters (different ones each time) in order to authorize you.

This way, the person servicing your call will, at most, know the two characters that you provided.

Compared to giving out your full password to them, it is more secure. Maybe they even eg. store in plaintext² half of the password and hash the other half. It would be desirable that they supported having a different password for phone support than their website (perhaps they do but you would need to set up such "phone password" separatedly?) but once you consider the additional requisite of customer support authenticating you through phone, it's not that unreasonable, unlike the case when you are authenticating directly to their website without any middle-men.³

‏One would still expect that they implement other sensible additional measures. Anyway, don't use any sensitive password. It is best if you use a password manager with a random password only used there.

It is also a good idea to follow the suggestion of Rui Freitas Serrano and ask them about their authentication process and how they protect the security of your account.

¹ So we hope, at least.

² Plaintext and reversible encryption are mostly equivalent here

Ángel
  • 1,216
  • 1
  • 9
  • 10