Menu
Reply
  • 25.16K
  • 1.05K
  • 4.01K
Superuser
Superuser
358 Views
Message 21 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

put your hand over the box. Its a local device is not a big deal. If someone can see you enter it they can reset it at the hub anyway

0 Kudos
Reply
  • 15
  • 0
  • 2
RussPitcher
Tuning in
350 Views
Message 22 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

It is a big deal - it’s terrible security practice. And what’s more it takes precisely four more characters of HTML to change. Swap type=‘text’ for type=‘password’ and you’re done.

This is done purely to save money on support calls from those who have forgotten their password, and done with absolutely zero regard for customers’ security. Is that really the sort of attitude from a company towards its customers that you’re happy with!?

0 Kudos
Reply
  • 25.16K
  • 1.05K
  • 4.01K
Superuser
Superuser
340 Views
Message 23 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

for hardware i control and it not online i dont care. i would use my own router so it would only be a modem anyway

0 Kudos
Reply
  • 15
  • 0
  • 2
RussPitcher
Tuning in
326 Views
Message 24 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I use my own router too. I do care very much if the entry point to my own network is vulnerable and so should everyone. If that’s compromised then all traffic entering and exiting my network is compromised. Passwords, private details, everything.

There’s also nothing to stop a hostile party siphoning off my bandwidth or even posing as me. If they get up to some seriously illegal activity on my network then I’ll have a hell of a time proving to the authorities that it wasn’t me.

Food for thought...

0 Kudos
Reply
  • 3
  • 0
  • 3
stevespalding
Tuning in
291 Views
Message 25 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

I'm sorry, but this *is* a big deal. It is completely unacceptable to a) have a password appear in plain sight without being obfuscated and more importantly b) have a login page that's not using SSL (https). Virgin need to address this. I appreciate this is a home device, but to throw security out of the window like this is unacceptable.Security best practices are there for very solid reasons. You don't want your kids to be able to see the password required to turn off the parental controls.  It's clear that Virgin do not take their customers' on-line security seriously. Yes, if you have physical access to the device then you can hard reset the hub but that is not really the point. 

0 Kudos
Reply
  • 5.33K
  • 414
  • 885
Tudor
Superstar
258 Views
Message 26 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

Why do you need https on an internal network?


There are 10 types of people: those who understand binary and those who don't and F people out of 10 who do not understand hexadecimal
0 Kudos
Reply
  • 25.16K
  • 1.05K
  • 4.01K
Superuser
Superuser
251 Views
Message 27 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

https helps take peoples mind off the tin foil hat

 

tin-baseball


0 Kudos
Reply
  • 21.8K
  • 625
  • 3.63K
Sephiroth
Alessandro Volta
242 Views
Message 28 of 55
Flag for a moderator

Re: SuperHub3 - plain text password


@stevespalding wrote:

I'm sorry, but this *is* a big deal. It is completely unacceptable to a) have a password appear in plain sight without being obfuscated and more importantly b) have a login page that's not using SSL (https). Virgin need to address this. I appreciate this is a home device, but to throw security out of the window like this is unacceptable.Security best practices are there for very solid reasons. You don't want your kids to be able to see the password required to turn off the parental controls.  It's clear that Virgin do not take their customers' on-line security seriously. Yes, if you have physical access to the device then you can hard reset the hub but that is not really the point


What? You can't prevent the kids from seeing the hub's password?

And by acknowledging the factory reset, you've defeated the thrust of your argument.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply
  • 15
  • 0
  • 2
RussPitcher
Tuning in
241 Views
Message 29 of 55
Flag for a moderator

Re: SuperHub3 - plain text password

You need https because you’re sending passwords in plain text. If you’re doing that over WiFi then you’re broadcasting it. Https takes very little effort and there is no excuse for not using it these days. 

IT security is like playing with guns. You always treat the gun as if it’s loaded and has a hair trigger so mistakes have a significantly lower chance of causing harm. Https and masked password fields are such basics that it’s ludicrous that they’re not implemented. 

0 Kudos
Reply
  • 21.8K
  • 625
  • 3.63K
Sephiroth
Alessandro Volta
235 Views
Message 30 of 55
Flag for a moderator

Re: SuperHub3 - plain text password


@RussPitcher wrote:

You need https because you’re sending passwords in plain text. If you’re doing that over WiFi then you’re broadcasting it. Https takes very little effort and there is no excuse for not using it these days. 

IT security is like playing with guns. You always treat the gun as if it’s loaded and has a hair trigger so mistakes have a significantly lower chance of causing harm. Https and masked password fields are such basics that it’s ludicrous that they’re not implemented. 


Except when the device concerned has a factory reset button.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply