TPG Community

Get online support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Password security concern

stuarttravers
Level 3
Level 3
‎12-03-2018 10:37 AM
I have only joined tpg, and it was a few weeks between signing up and account activation, so I forgot my password. I clicked the forgot password link, expecting to have to reset it but instead I received an email containing my password in clear text!

That is a massive security issue, as it means tpg has stored my password either in clear text or in a manner that any encryption can be easily reversed. I suspect the former. And then to send it via clear text?

What's the story here? Surely it's common knowledge that passwords should never be stored in unencrypted clear text. That's like rookie mistake number one.

I'm now concerned about my tpg service and I'm bringing this to your attention in the hope you will do something to address it.
Reply
16 REPLIES 16
orbistat
Level 8
Level 8
‎12-03-2018 01:56 PM

Hi @stuarttravers I'm just a TPG customer and I can't see what the issue is? If someone has forgotten a password it makes sense to me to receive the said password to the recovery email address that was set up when the account was formed.

 Plain text makes even more sense, otherwise how were you planning to decrypt it unless you once again knew the encryption password?

0 Likes
Reply
stuarttravers
Level 3
Level 3
‎12-03-2018 02:02 PM
In the event of a data breach, someone can obtain the passwords of all users instantly. The majority of people use the same password for multiple things (that's bad practice but true) so if your password is obtained, hackers will have access to any and all accounts using the same password. Email, google, Facebook etc.

Best practice is to provide either a temporary password that must be changed on first use, or a password reset link which uses a unique code.

The password itself should be stored in an encrypted fashion that cannot be read or reverse engineered by anyone.

NEVER should the password be stored or emailed in plain text.

This is security basics. Source: 20+ years experience.
Reply
orbistat
Level 8
Level 8
‎12-03-2018 02:22 PM

I see where you're coming from, most likely the email you received though was automated and wasn't seen by human eyes anyway, in effect encrypted, as it was only seen by you after logging in to your password encrypted email account, yes?

Reply
stuarttravers
Level 3
Level 3
‎12-03-2018 02:27 PM
The fact that it's automated is neither here nor there. That's only useful if every single person who could access the database follows the rules. Which hackers don't. , If done correctly/securely it should be completely impossible to retrieve a user's password. It should only be possible to create a new one.
Reply
orbistat
Level 8
Level 8
‎12-03-2018 02:39 PM

Would a model like a bank employs be secure enough? For instance I needed to bpay something yesterday that required a verification code that was sms'd to me and read off a phone screen and then entered into a field on the web page, supposedly on a https secure site?

0 Likes
Reply
stuarttravers
Level 3
Level 3
‎12-03-2018 02:44 PM
Not if the bank could then tell you what your password is. It should only be able to set (or let you set) a new one. If that's what happened then yep that's close to perfect.
Reply
stuarttravers
Level 3
Level 3
‎12-03-2018 02:50 PM
What most people don't understand is that a website doesn't need to know what your password is to be able to authenticate it. All it needs to know is the encrypted code that will be generated if the correct password is entered.

Fur example, say your password is "abc123". When you first set it, that password should be combined with something else (known as a "seed"), and an encrypted string is created and stored, along with the seed.

From then on, any time you try to log on, the system just takes what you enter, combines it with the seed, encrypts it and compares the result with the result stored in the database. If they match, you're in.

If that happens, it doesn't matter who sees the database. Without your password, they can't generate the matching encrypted string and can't log in.

Sorry for getting technical.
Reply
orbistat
Level 8
Level 8
‎12-03-2018 02:56 PM

I see what you did there, and at the end of the day, if Asio or the Kremlin wan't my meagre bandwidth they can have it Man Wink

0 Likes
Reply
stuarttravers
Level 3
Level 3
‎12-03-2018 02:59 PM
It's not just about your bandwidth though. If you use the same password for multiple things, and a lot of people do, then it's potentially everything you've used that password for. Could be your email, banking, Facebook, Google, whatever.
Reply