Menu
Reply
Highlighted
  • 29.86K
  • 1.47K
  • 5.17K
Very Insightful Person
Very Insightful Person
724 Views
Message 21 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

put your hand over the box. Its a local device is not a big deal. If someone can see you enter it they can reset it at the hub anyway

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 15
  • 0
  • 3
On our wavelength
716 Views
Message 22 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

It is a big deal - it’s terrible security practice. And what’s more it takes precisely four more characters of HTML to change. Swap type=‘text’ for type=‘password’ and you’re done.

This is done purely to save money on support calls from those who have forgotten their password, and done with absolutely zero regard for customers’ security. Is that really the sort of attitude from a company towards its customers that you’re happy with!?

0 Kudos
Reply
Highlighted
  • 29.86K
  • 1.47K
  • 5.17K
Very Insightful Person
Very Insightful Person
706 Views
Message 23 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

for hardware i control and it not online i dont care. i would use my own router so it would only be a modem anyway

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 15
  • 0
  • 3
On our wavelength
692 Views
Message 24 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

I use my own router too. I do care very much if the entry point to my own network is vulnerable and so should everyone. If that’s compromised then all traffic entering and exiting my network is compromised. Passwords, private details, everything.

There’s also nothing to stop a hostile party siphoning off my bandwidth or even posing as me. If they get up to some seriously illegal activity on my network then I’ll have a hell of a time proving to the authorities that it wasn’t me.

Food for thought...

0 Kudos
Reply
Highlighted
  • 3
  • 0
  • 4
Tuning in
657 Views
Message 25 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

I'm sorry, but this *is* a big deal. It is completely unacceptable to a) have a password appear in plain sight without being obfuscated and more importantly b) have a login page that's not using SSL (https). Virgin need to address this. I appreciate this is a home device, but to throw security out of the window like this is unacceptable.Security best practices are there for very solid reasons. You don't want your kids to be able to see the password required to turn off the parental controls.  It's clear that Virgin do not take their customers' on-line security seriously. Yes, if you have physical access to the device then you can hard reset the hub but that is not really the point. 

0 Kudos
Reply
Highlighted
  • 7.41K
  • 581
  • 1.26K
Legend
624 Views
Message 26 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

Why do you need https on an internal network?


Tudor
There are 10 types of people: those who understand binary and those who don't and F people out of 10 who do not understand hexadecimal c1a2a285948293859940d9a49385a2
0 Kudos
Reply
Highlighted
  • 29.86K
  • 1.47K
  • 5.17K
Very Insightful Person
Very Insightful Person
617 Views
Message 27 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

https helps take peoples mind off the tin foil hat

 

tin-baseball

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 21.85K
  • 626
  • 3.69K
Alessandro Volta
608 Views
Message 28 of 61
Flag for a moderator

Re: SuperHub3 - plain text password


@stevespalding wrote:

I'm sorry, but this *is* a big deal. It is completely unacceptable to a) have a password appear in plain sight without being obfuscated and more importantly b) have a login page that's not using SSL (https). Virgin need to address this. I appreciate this is a home device, but to throw security out of the window like this is unacceptable.Security best practices are there for very solid reasons. You don't want your kids to be able to see the password required to turn off the parental controls.  It's clear that Virgin do not take their customers' on-line security seriously. Yes, if you have physical access to the device then you can hard reset the hub but that is not really the point


What? You can't prevent the kids from seeing the hub's password?

And by acknowledging the factory reset, you've defeated the thrust of your argument.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply
Highlighted
  • 15
  • 0
  • 3
On our wavelength
607 Views
Message 29 of 61
Flag for a moderator

Re: SuperHub3 - plain text password

You need https because you’re sending passwords in plain text. If you’re doing that over WiFi then you’re broadcasting it. Https takes very little effort and there is no excuse for not using it these days. 

IT security is like playing with guns. You always treat the gun as if it’s loaded and has a hair trigger so mistakes have a significantly lower chance of causing harm. Https and masked password fields are such basics that it’s ludicrous that they’re not implemented. 

0 Kudos
Reply
Highlighted
  • 21.85K
  • 626
  • 3.69K
Alessandro Volta
601 Views
Message 30 of 61
Flag for a moderator

Re: SuperHub3 - plain text password


@RussPitcher wrote:

You need https because you’re sending passwords in plain text. If you’re doing that over WiFi then you’re broadcasting it. Https takes very little effort and there is no excuse for not using it these days. 

IT security is like playing with guns. You always treat the gun as if it’s loaded and has a hair trigger so mistakes have a significantly lower chance of causing harm. Https and masked password fields are such basics that it’s ludicrous that they’re not implemented. 


Except when the device concerned has a factory reset button.

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply