TPG Community

Ask, answer and talk about our products

Password security concern

Level 3
I have only joined tpg, and it was a few weeks between signing up and account activation, so I forgot my password. I clicked the forgot password link, expecting to have to reset it but instead I received an email containing my password in clear text!

That is a massive security issue, as it means tpg has stored my password either in clear text or in a manner that any encryption can be easily reversed. I suspect the former. And then to send it via clear text?

What's the story here? Surely it's common knowledge that passwords should never be stored in unencrypted clear text. That's like rookie mistake number one.

I'm now concerned about my tpg service and I'm bringing this to your attention in the hope you will do something to address it.
13 REPLIES
Level 7

Hi @stuarttravers I'm just a TPG customer and I can't see what the issue is? If someone has forgotten a password it makes sense to me to receive the said password to the recovery email address that was set up when the account was formed.

 Plain text makes even more sense, otherwise how were you planning to decrypt it unless you once again knew the encryption password?

Level 3
In the event of a data breach, someone can obtain the passwords of all users instantly. The majority of people use the same password for multiple things (that's bad practice but true) so if your password is obtained, hackers will have access to any and all accounts using the same password. Email, google, Facebook etc.

Best practice is to provide either a temporary password that must be changed on first use, or a password reset link which uses a unique code.

The password itself should be stored in an encrypted fashion that cannot be read or reverse engineered by anyone.

NEVER should the password be stored or emailed in plain text.

This is security basics. Source: 20+ years experience.
Level 7

I see where you're coming from, most likely the email you received though was automated and wasn't seen by human eyes anyway, in effect encrypted, as it was only seen by you after logging in to your password encrypted email account, yes?

Level 3
The fact that it's automated is neither here nor there. That's only useful if every single person who could access the database follows the rules. Which hackers don't. , If done correctly/securely it should be completely impossible to retrieve a user's password. It should only be possible to create a new one.
Level 7

Would a model like a bank employs be secure enough? For instance I needed to bpay something yesterday that required a verification code that was sms'd to me and read off a phone screen and then entered into a field on the web page, supposedly on a https secure site?

Level 3
Not if the bank could then tell you what your password is. It should only be able to set (or let you set) a new one. If that's what happened then yep that's close to perfect.
Level 3
What most people don't understand is that a website doesn't need to know what your password is to be able to authenticate it. All it needs to know is the encrypted code that will be generated if the correct password is entered.

Fur example, say your password is "abc123". When you first set it, that password should be combined with something else (known as a "seed"), and an encrypted string is created and stored, along with the seed.

From then on, any time you try to log on, the system just takes what you enter, combines it with the seed, encrypts it and compares the result with the result stored in the database. If they match, you're in.

If that happens, it doesn't matter who sees the database. Without your password, they can't generate the matching encrypted string and can't log in.

Sorry for getting technical.
Level 7

I see what you did there, and at the end of the day, if Asio or the Kremlin wan't my meagre bandwidth they can have it Man Wink

Level 3
It's not just about your bandwidth though. If you use the same password for multiple things, and a lot of people do, then it's potentially everything you've used that password for. Could be your email, banking, Facebook, Google, whatever.