Dodo And The Extinct Password Protection

I have been with Dodo for home broadband service for more than a decade.

A lot of people might snigger at that, but in all honesty I have been subject to very few problems over that time, and their plans suit my needs. Their customer service department can be difficult to interact with, but I have so little need to deal with them directly, that this hasn’t caused me any significant heartache.

Last week, I noticed from the office that my home ADSL service was down, so I tried to login to their customer portal to see if there was anything there that might suggest what the problem was.

Problem was, I couldn’t remember the password – so I clicked on the “Forgot Password” link.

As you would.

It immediately became apparent that the only options for password retrieval or reset were “call our customer service department” or “sent to you via SMS to your mobile phone”.

Not really wanting to wait in a telephone queue, I took the “sent to you via SMS to your mobile phone” option – but I was bit concerned by this.

No option to offer up details – (such as answers to security questions or date of birth and billing address information) – just tell us your service number, and we’ll SMS it to you.

Just a big button that says “Send Me My Password”.

Thing is, that’s exactly what they did.

They sent me the password.

In plain-text.

Via SMS.

I’m not super concerned that the password was sent via SMS – (though they really shouldn’t be doing that either) – but the fact that they sent me the password in plain-text tells me one thing.

They store them in plain-text.

What the actual fuck?

They really should implement a challenge response mechanism to reset the password online, instead of just storing them in the clear and spitting them out on request, without seeking proof of who is requesting the password.

I will point out that the password to get onto their customer portal is not the same password that allows my ADSL service to authenticate to their servers, but I have to be concerned that if the portal password is stored in the clear, that the login password is stored somewhere in the clear also.

I have tried twice to contact Dodo – (here and here) – via their “9am to 6pm” Twitter service account, and haven’t gotten a reply.

So.

This is all pretty ordinary – care to explain this Dodo?

UPDATE: 18/11/2013 ==========

It has been pointed out to me by highly respected network engineer Mark Newton that “ISPs tend to store plaintext passwords because PPP CHAP auth requires it”. I trust Mark’s opinion on this – but I have worked in ISPs and never seen this. As I point out in the fourth last paragraph, it was not my authentication password that was sent to me, but my customer portal password, so I don’t believe this caveat applies in this instance.