“Never give your password out to anyone!”
“Don’t write down your password!”
“Our staff will never ask you to confirm your password when calling us.”
Et cetera, et cetera, et cetera. As consumers we’re always being told to keep our passwords secret, not use the same one for all sites, make them hard to guess, change frequently etc. And as someone who runs online businesses, as a service provider I am always insistent that in our network design customers’ passwords should always be hashed using the current best-practice methods to make them invisible to staff/engineers and most importantly of all, useless to hackers if the worst were to happen.
So you can imagine how unimpressed I was when I spoke to 123-reg this morning and as part of the security procedure they asked what my password was! Of course, I refused to disclose it over the phone and requested that my discontent be passed to the highest level. I also reached out to them on Twitter to ask for comment for this article:
.@123reg Y R U asking for customers’ web login passwords over the phone? Shockingly conflicting advice. Can you comment for my blog post?
— Paul Freeman-Powell (@paulfp) December 17, 2014
At the time of writing, I’ve not yet received a response. I’ll update this post if/when I do.
This is worrying for several reasons:
It Gives Totally The Wrong Message To Consumers About Passwords
We as an industry need to be absolutely clear and absolutely consistent, otherwise consumers will just get confused and/or apathetic and this will cause untold problems. From (almost) every angle consumers are being told never to disclose their password to anyone and guaranteed that companies’ employees won’t ask them to disclose it, sometimes even instructing customers to report the security breach if they ever are asked for it.
Indeed, it’s one of the tell-tale hallmarks of a phishing exercise when unnecessary information is requested, and it should set major alarm bells ringing. No-one should ever be asked to give their password to an employee of a business, and if asked to you should refuse!
It Exposes Serious Concerns About 123-Reg’s Internal Practices
123-reg are clearly not hashing their passwords, which makes me extremely uncomfortable – to the point that I’m considering closing the account and taking all business away from them. I don’t care if they’re encrypting them in their databases (if they’re even doing that), as they can and obviously are being decrypted and displayed on a screen for staff (and potential hackers) to see. Or do they store them in plain text? I b****y hope not!
I don’t want their staff seeing or knowing my password!! I don’t use the same password for all websites, and my passwords are complex, random and nonsensical. But let’s be realistic for a moment: most consumers still use easy-to-guess passwords and the same for most websites. Are they doing full background checks on these staff? What would 123-reg do if their staff members tried logging into the email accounts of customers to see what other information they could steal?
What’s most frustrating is I had already provided other security questions which the rep was able to ask me, so why not ask those in the first place?
What I think 123-reg Should Do URGENTLY:
- Send an urgent memo to all staff, immediately rescinding the instruction to ask users for their passwords, and make it a disciplinary offence to do so.
- Immediately update their systems so that all customer passwords are irreversibly hashed and not stored in any other format in their databases and other systems.
- Issue a full apology, guarantee this will never happen again, and re-educate consumers whom they will have confused and misguided.
Have you found other companies being irresponsible like this and sending out conflicting messages regarding information security? Let me know your thoughts in the comments below.