Plusnet still giving out plaintext passwords

Plusnet is still giving out passwords to its users in plain text, according to media sources.

The Register reported the fact that the telecommunications company, which is owned by BT, has ignored the advice and warnings of security experts and GCHQ, the UK's signals intelligence agency by continuing to send their forgetful users passwords back to them in plaintext and not hashing or salting them

The blog, Plain Text Offenders, first picked up on this several years ago, exposing the practice in July 2013. The authors, on their ‘about' page explain the problem of plaintext password storage: “A website storing a password in plain text means that your password is there, waiting for someone to come and take it. It doesn't even matter if you've created the strongest possible password. It's just there.”  Storing passwords in plain text has been a large theme in several not inconsiderable breaches of recent memory. Sony Entertainment famously stored employees passwords in unencrypted plain text and several breaches of consumer CMS software have supposedly been down to the storage of credentials in plaintext.  

Plusnet spoke to SC, saying that the company “goes to great lengths to ensure we protect and secure our customer data.” Plusnet added that “Passwords are encrypted in our database. We do not show customers their passwords in an email in plain text and anyone who has forgotten their password must go through a combination of security mechanisms to regain access.”

Plusnet might not show customers their password in emails, but it does, according to The Register, provide a link to a webpage which shows their password in plain text. The company did not answer how this plain text delivery of customers' passwords might be better than the standard practice of merely resetting the password.