We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Co-op Energy - very worrying

rommers11
rommers11 Posts: 4 Newbie
in Energy
Logged on to Co-op Energy's website today - if you ask for a password reminder, they send the full password by email. There's nowhere on the site to change your password - you have to ring up and staff can see all full passwords.
Bank details aren't visible on the site, but this is terrible security practice. Many people use the same password for other sites - this is leaving them open to the password being stolen - either by staff or by email being captured, which is pretty easy. I've raised a complaint with them, but I'm astounded at a big company behaving like this. Beware.

Comments

  • bob_bank_spanker
    bob_bank_spanker Posts: 559 Forumite
    rommers11 wrote: »
    Logged on to Co-op Energy's website today - if you ask for a password reminder, they send the full password by email. There's nowhere on the site to change your password - you have to ring up and staff can see all full passwords.
    Bank details aren't visible on the site, but this is terrible security practice. Many people use the same password for other sites - this is leaving them open to the password being stolen - either by staff or by email being captured, which is pretty easy. I've raised a complaint with them, but I'm astounded at a big company behaving like this. Beware.

    Of course staff can see passwords. How else can things be verified? Staff are trained in data protection, and face dismissal for a breach of these rules, as below.

    http://news.bbc.co.uk/2/hi/uk_news/england/hereford/worcs/7585098.stm

    Only a complete moron would have the same password for all their log-in needs! :rotfl:
  • scaredofdebt
    scaredofdebt Posts: 1,663 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    If you're worried report them to the Data Protection Commissioner and see what they say.

    I suspect they've already been given the green light to do this though, they'd risk a potentially massive fine if not.
    Make £2018 in 2018 Challenge - Total to date £2,108
  • rommers11
    rommers11 Posts: 4 Newbie
    bob, if you read that news item you'll find it says normally staff can't read passwords. It's extremely unusual for any site that stores personal data to store it in plain text so that staff can see it - passwords are usually encrypted. And they should never be sent by email, which is not secure.
  • Nada666
    Nada666 Posts: 5,004 Forumite
    bob_bank_spanker wrote: »
    Of course staff can see passwords.
    Only a clueless ignoramus would write that.

    And about ninety-nine percent of users are complete morons. Some leeway has to be given to this reality and procedures should not routinely exacerbate this.
  • Autoquark
    Autoquark Posts: 2 Newbie
    bob_bank_spanker wrote: »
    Of course staff can see passwords. How else can things be verified?

    Normal practice is not to store the password at all but to put the password through a "hashing" function and store the output. The hashing function turns the password into a long string of characters. When you enter your password in order to log in, the site applies the hashing function to the password you enter and checks that the output is the same as what is stored.
    The point about this system is that it's very difficult to reverse the hashing function - if someone steals the database containing the hashes of all the passwords, it's very difficult to turn those hashes back into the actual passwords. The fact that the site is able to send you your password shows that they are storing the actual password and not just the hash, which is dangerous both because their staff can see it and because if their database is stolen (not an uncommon occurrence) the thief will have the passwords for everyone's accounts.
  • alanwsg
    alanwsg Posts: 831 Forumite
    Part of the Furniture 500 Posts Name Dropper
    edited 21 September 2013 at 4:31PM
    I've worked with computer security for ages (retired now, so maybe out of touch).
    When I first read Bob's post, I also initially thought "clueless ignoramus", but thinking a bit further I now realize they must be storing the full password in plaintext because for some operations they ask me for individual characters from the password.

    E.g. "Please type characters 7 & 9 from your password" sort of thing.

    Unless there's been some advance in hash functions that allows this, they must have the original plaintext, you couldn't deduce or verify individual characters from a md5 or sha1 hash.

    However, they also ask for more than one "Password" - mother's maiden name, name of first pet, that sort of thing. I assume that is what is now hashed properly.
  • rommers11
    rommers11 Posts: 4 Newbie
    There's no doubt they hold it in plain text - they told me! The only way to change the password is to tell the call centre person, and they type it in.
  • Autoquark
    Autoquark Posts: 2 Newbie
    alanwsg wrote: »
    When I first read Bob's post, I also initially thought "clueless ignoramus", but thinking a bit further I now realize they must be storing the full password in plaintext because for some operations they ask me for individual characters from the password.

    I was curious about the case of a bank asking you for certain letters from your password, so I did some googling. It appears that you are right that hashing would not allow you to do this - from what I read, they normally use some sort of reversible encryption to store the password. I guess in the case of the passwords being stolen it all depends on whether they also get the encryption key (or whether the encryption can be broken in a reasonable amount of time by brute force). I also found a link to an alternative approach called k-out-of-n threshold secret sharing (I'd post it but new users aren't allowed). You could also store hashes of every possible set of characters that might be asked for, but those hashes would be susceptible to brute-force attacks.

    However, the fact that they can send you the password indicates that in the case of Co-op energy, they definitely hold it either reversibly encrypted or as plain text - either way, the fact that they allow their staff to see the entire password seems worrying, as does sending it over email.
  • wakeupalarm
    wakeupalarm Posts: 1,088 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    Co-op bank is the same, the staff can see the passwords. Incredible! in this day and age. Those computer hackers who tried to capture transmissions in Santander and Barclays could just get a job in the Co-op and save all the hassle.
  • rommers11
    rommers11 Posts: 4 Newbie
    I'm informed by Co-Op Energy that they don't consider their website contains any 'sensitive information'. So apparently your name, address and energy consumption are not considered worth protecting.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 353.8K Banking & Borrowing
  • 254.3K Reduce Debt & Boost Income
  • 455.2K Spending & Discounts
  • 246.9K Work, Benefits & Business
  • 603.4K Mortgages, Homes & Bills
  • 178.2K Life & Family
  • 261K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture