BusinessConsumer AdviceInformation SecurityInternetOnline SecurityTechnologyWeb Development

123-Reg Asking for Customers’ Passwords

By December 17, 2014 September 14th, 2018 4 Comments

“Never give your password out to anyone!”

“Don’t write down your password!”

“Our staff will never ask you to confirm your password when calling us.”

Et cetera, et cetera, et cetera. As consumers we’re always being told to keep our passwords secret, not use the same one for all sites, make them hard to guess, change frequently etc. And as someone who runs online businesses, as a service provider I am always insistent that in our network design customers’ passwords should always be hashed using the current best-practice methods to make them invisible to staff/engineers and most importantly of all, useless to hackers if the worst were to happen.

So you can imagine how unimpressed I was when I spoke to 123-reg this morning and as part of the security procedure they asked what my password was! Of course, I refused to disclose it over the phone and requested that my discontent be passed to the highest level. I also reached out to them on Twitter to ask for comment for this article:

At the time of writing, I’ve not yet received a response. I’ll update this post if/when I do.

This is worrying for several reasons:

It Gives Totally The Wrong Message To Consumers About Passwords

We as an industry need to be absolutely clear and absolutely consistent, otherwise consumers will just get confused and/or apathetic and this will cause untold problems. From (almost) every angle consumers are being told never to disclose their password to anyone and guaranteed that companies’ employees won’t ask them to disclose it, sometimes even instructing customers to report the security breach if they ever are asked for it.

Indeed, it’s one of the tell-tale hallmarks of a phishing exercise when unnecessary information is requested, and it should set major alarm bells ringing. No-one should ever be asked to give their password to an employee of a business, and if asked to you should refuse!

It Exposes Serious Concerns About 123-Reg’s Internal Practices

123-reg are clearly not hashing their passwords, which makes me extremely uncomfortable – to the point that I’m considering closing the account and taking all business away from them. I don’t care if they’re encrypting them in their databases (if they’re even doing that), as they can and obviously are being decrypted and displayed on a screen for staff (and potential hackers) to see. Or do they store them in plain text? I b****y hope not!

I don’t want their staff seeing or knowing my password!! I don’t use the same password for all websites, and my passwords are complex, random and nonsensical. But let’s be realistic for a moment: most consumers still use easy-to-guess passwords and the same for most websites. Are they doing full background checks on these staff? What would 123-reg do if their staff members tried logging into the email accounts of customers to see what other information they could steal?

What’s most frustrating is I had already provided other security questions which the rep was able to ask me, so why not ask those in the first place?

What I think 123-reg Should Do URGENTLY:

  1. Send an urgent memo to all staff, immediately rescinding the instruction to ask users for their passwords, and make it a disciplinary offence to do so.
  2. Immediately update their systems so that all customer passwords are irreversibly hashed and not stored in any other format in their databases and other systems.
  3. Issue a full apology, guarantee this will never happen again, and re-educate consumers whom they will have confused and misguided.

Have you found other companies being irresponsible like this and sending out conflicting messages regarding information security? Let me know your thoughts in the comments below.

Paul Freeman-Powell

Paul Freeman-Powell

Paul (@paulfp) is the main presenter of the award-winning Switched On Network YouTube Channel, which covers a variety of interesting topics usually relating to his love of technology and all things geeky. He also founded and runs Innobella Media, where he leads in all aspects of video production, video editing, sound & lighting. A father of 3 children including twins, his hobbies used to include photography, playing the drums and cycling. With a degree in Modern European Languages, Paul speaks French, Spanish and a little bit of Italian, and holds dual British & Irish citizenship.

4 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.