"Not just the 4th and 17th character - the whole thing"
If any company asks for the 4th character of your password, that means they are storing your password in a reversible fashion, and they should be dumped.
The online account should never be logged in by anyone other than the owner. The person on the phone, if their job requires it, should have read/write access to your account, but that should be audited as "Joe Bloggs" accedsing the account
Using a password that is unique (and highly dissimilar from any other password of yours), can prevent almost all harm from having it stored in plaintext.
While that is true, that's blaming the user for choosing bad passwords, and not the system for keeping the systems safe, which is an implicit guarantee - I'm giving you this secret key, your job is to keep it safe.
The only reason we need unique passwords is because the system can't hold up its end of the bargain.
Edit: And in hindsight, I was wrong in calling it a bad password from the user - the only reason it's necessarily bad is because it has been compromised. If I use the same sufficiently complex brute-force proof password everywhere, we can safely say I've held up my bargain, but a single data breach completely removes that otherwise impenetrable defense.
Hashes can't protect the content if it's feasible to enumerate all possible values of the content.
You can't hide individual letters of alphabet with a hash. Not even with a salt and an expensive hash. It's a hopeless case where a brute-force attack takes only 26 times (or 676 for a pair of letters) longer than a comparison you do during normal operation.
BTW: it's also not possible to use hashes to hide/anonymize phone numbers or IP addresses. The attacker can generate hashes of all possible values and see which one is it.
Let's say my password is NmsWQlWj1kzS534ojygJ. The 4th and 17th characters are W and j. Even if those two characters are stored in plain text, how exactly does that compromise my password?
Okay, so now it's a brute which requires, at most, a couple hundred hashes (or less for a typical user's character set). Even for a very expensive algorithm, this is an extremely short operation.
Thames Water is a joke, and a bad one at that. When I first moved to London they didn’t send me a bill until the end of the year, for the full year. Then they sent another – same exact amount, same address, different reference number. I called them to say the bill was already paid and they confirmed over the phone that they could see the payment for the other bill, but they couldn’t trash the new one for some reason and to avoid any extra charges I had to pay it and then ask for a refund. I remarked how dumb that was, but acquiesced and paid the thing only to then ask for a refund. They said it’d be processed within a couple of weeks, but of course it never was, so I called again. And again. And again. About six months later I just gave up, and accepted that Thames Water will forever owe me some £500 or so, and I’ll never get them back.
Paying money you don't owe them is definitely the wrong move. I'd have written them a letter providing them with proof that the first bill had been paid and stating that I will not enter into any further correspondence. It would be up to them to sort their shit out.
Anyone else in a similar situation should be able to resolve the matter by complaining to the Consumer Council for Water. In the staggeringly unlikely event that this did not resolve the situation then taking Thames Water to small claims court would be the next step.
For sure, and it felt wrong at the time but I took their reassurances at face value. While I'm sure there was some process by which I could reclaim the money, in the end I just gave up and wrote it off.
Perfectly understandable. Having re-read what I wrote, I apologise if came off as criticizing your past lack of action! I wrote more from the position of wanting to provide advice for anyone else who finds themselves in a similar situation and isn't sure if they can do anything about it.
Nothing to apologize for buddy, I read it exactly as you intended – advice, not critique! Appreciate the concern and civility though, have a great day! :o)
Sweden, and absolutely, for me things are without a doubt much better here. There will always be annoyances in life, but at least it's not death by a thousand cuts, which is how I felt about living in the UK.
So many companies in the UK don't seem to get it (or are purposefully doing bad security), we need regulation .. or perhaps just application of current legislation (I don't know) ..
There needs to be someone saying "you restricted your passwords to 8 alphabetic characters, your C-grade in charge of security can no longer hold a position that involves security, and you company must pay 50% of profits (subject to a minimum of 5% of revenue) as a fine.
With a very clear, basic, definition of minimum security levels for companies (above a certain size) to comply with.
We can't leave security to the market as the information isn't public and the market on the whole can't comprehend it.
Careful; this is things like FIPS, and it's likely to include things you don't like such as "ban the use of password managers and take technical measures to prevent pasting in passwords".
What are you referring to? The only FIPS I know are crypto standards from NIST, and they seem pretty reasonable. (Except for the EC RNG of course lol.) Even the NIST password recommendations are pretty reasonable IIRC, they recommend having no upper limit (or like 60+ characters) and not enforcing any kind of "you need at least 1 special sign and 2 numbers", except for a lower limit (at least 8 characters).
The problem with such regulations is they tend to be written by the same kinds of people - those who still assume that having meaningful SQL characters in a password is insecure, or that every device on the Internet will have a static IP.
"You're new account number is <big string of digits>, you must go to the website and enter it there to re-register."
Uh.. ok? (Leaving aside that this reads like phishing, I go to the website.)
`input_mode="numeric"` prevents me pasting the <big string of digits>, so I get rid of that, paste it, feel briefly sorry for customers that won't know to do that, and then it errors anyway.
They shouldn't even be able to know what your password is. They shouldn't have a copy of it anywhere. Only a hash function (or several) of it.
It should be impossible for any of their staff to ever obtain your password, or tell it back to you, or verify that you're reading it to them correctly -- BECAUSE they don't have a copy of your password ANYWHERE.
> So, we came up with a compromise. They would reset my password, log in to my account, fiddle around with it, and then call me with the new password. And so they did.
I'm not sure that the staff did in fact have access to the password. It sounds as if they needed to log in as the customer to make necessary changes, so the password request was in the context of a login attempt.
Of course, this just raises further questions about how they manage their systems, if they cannot administratively perform any action required without acting as the customer.
I don't think I have ever used or developed a system with a login function that did not have the means to allow admins, or someone with appropriate privileges, to reset a password. I would regard that as a basic standard feature.
UK Residential water customers fall into basically two categories. Older residences that haven't converted are billed based on "rates" - a guess of what a residence like that uses on average. Newer ones, or if you opt in to have a meter fitted are billed for metered water usage plus (unless exceptionally they have water but no sewage provision) a proportional amount for sewage. There's a discount if you've at least set things up so that rain water doesn't get dumped into the sewer.
But none of this is controllable, so for anyone with financial stability the obvious thing to do is set up Direct Debit (in the UK the law lets you give your bank account details to approved businesses like the water utilities and then the bank just gives them whatever they ask for, the law includes a safeguard so you can retrospectively unwind this with no questions asked) and then forget about it.
If you're too poor for Direct Debit to be wise (residential water can't be shut off for non-payment since courts consider it essential, so if you've got £10 left in the account until the end of the month you don't want the water company taking that money which could otherwise buy food) you still can't do anything about that by having an account.
So I've never had such an account and can't imagine how I'd use it. When I have had a dispute with the water company in the past an account wouldn't have helped, I needed to argue with actual humans about why they were wrong.
Am I so worried about the security of my water bill that it needs to exist behind a password? I’m perfectly happy if anyone who wants to put my address into the website can see exactly how much I currently owe. They can even pay it for me if they really want to.
But if you need to put in your own meter readings I get that that’s different. I’m really complaining more about my own local utilities and other companies that have totally pointless passwords that make paying bills extra difficult.
If any company asks for the 4th character of your password, that means they are storing your password in a reversible fashion, and they should be dumped.
The online account should never be logged in by anyone other than the owner. The person on the phone, if their job requires it, should have read/write access to your account, but that should be audited as "Joe Bloggs" accedsing the account