from Hacker News

Virgin Media (UK) stores passwords in plain text, sends them through the mail

by molenzwiebel on 8/17/19, 5:09 PM with 54 comments

  • by wutbrodo on 8/17/19, 7:27 PM

    I learned a long time ago that the default assumption for non-tech-first companies should be deep, deep incompetence, below the level of an undergrad with a decent CS degree, when it comes to basic security practice. Even having your system be Incredibly Important isn't enough to force basic competence: there were plenty of government and bank systems through the 2000s that were apparently designed and maintained by high school kids (looking at you Citibank).

    By 2019, a lot of the industries running more critical systems like finance have figured out that you should take your tech seriously (and it only took them twenty years to figure it out...) ,but it's still a pretty good baseline assumption.

  • by LeoPanthera on 8/17/19, 8:10 PM

    Virgin Media is an ISP, for those who don't know.

    Perhaps more shockingly, they have a maximum password length of 10 characters, and the first character must be a letter.

    https://twitter.com/Joshwright10/status/1162811048359014400

  • by jayflux on 8/17/19, 7:30 PM

    I get everyone replying to virgins Twitter account in disgust, but let’s be honest, the person on the other end of that most likely won’t be technical, nor will there be much chance of them relaying it on. They will reply then go home for the day.

    This is where things like https://securitytxt.org/ are important. Being able to go through to the team or person who knows what’s going on. But then again, if a company stores plain text passwords they most likely won’t have security.txt

  • by shakna on 8/17/19, 7:13 PM

    > Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS (@virginmedia)

    > There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]

    Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.

    They really haven't met even the spirit of:

    > Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

    [0] https://ico.org.uk/for-organisations/guide-to-data-protectio...

  • by heffebaycay on 8/17/19, 7:47 PM

    From 2015: "Virgin Media stores user passwords in plaintext?" https://news.ycombinator.com/item?id=9492006

  • by 5h on 8/17/19, 9:16 PM

    This is the same bunch of clowns who MITM you even after disabling their porn-filter, and the "fix" is to install their root cert.

  • by rvz on 8/17/19, 10:47 PM

    Right now in 2019, companies in the UK who somehow now think that they are 'tech companies' have this attitude when it comes to security. I met one company that recently got funding in the UK that deals with personal insurance and asked them if they write tests and they responded that they don't have tests, because they have no time to write any. In this case, that is like not having a security audit because we don't want anyone knowing the secret sauce.

    Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and these systems don't get updated in a while until it is too late.

    > Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS

    I can't trust Virgin to mail me anything sensitive then as the person who sent these details could have just seen it and wrote it down beforehand. That is too much of a risk to trust anyone and call that secure, even if it is illegal to open someone else's mail.

    Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.

  • by noodlesUK on 8/18/19, 3:59 AM

    How is it that ISPs are always such awful organisations? I understand that their user base isn’t particularly technical, but there’s no excuse for this sort of public stupidity.

  • by thraxil on 8/18/19, 7:50 AM

    When you have a problem and call support, they do the "please enter the 4th digit of your account password" thing to verify you (further evidence that they store it in plaintext). This is particularly fun since my password is only in a password manager, which, if my service is offline, I can't access. So whenever my internet goes out, calling VM support to get them to fix it involves an extra 15 minutes of me arguing with them.

  • by LIV2 on 8/18/19, 6:27 PM

    I’m a bit rusty and could be wrong but doesn’t MSCHAPv2/CHAP require knowledge of the plaintext password on the server side? I think that makes it required to be stored plaintext for any PPP connection and thus most if not all ISPs would be storing plaintext passwords

  • by amiga-workbench on 8/17/19, 7:29 PM

    UCAS used to do a similar thing. I really hope they have fixed this since. https://i.imgur.com/H2gADSX.png

  • by mlmartin on 8/17/19, 8:23 PM

    Virgin media have a 'memorable word' that you quote to the phone agents as a proof that it's you talking to them. It's not the password to the online account and it's only one of a few bits of info you get asked to prove you are the account holder.

    I think this is what is being talked about. Not the actual account 'password'.

  • by tastroder on 8/20/19, 8:40 AM

    Don't think this was posted yet, they doubled down on this:

    https://mobile.twitter.com/VirginMediaIE/status/116344119354...

  • by alex_duf on 8/18/19, 7:56 AM

    Unfortunately Plusnet does the same

  • by thecleaner on 8/17/19, 9:52 PM

    Does anyone else think the Virgin group companies are really bad and are simply baded on good marketing ? My read on Branson himself is that he's DT with actual billions.