UK ISP Eclipse Internet Fails to Hide User Password via Account Page

Internet providers take note; a wide gaze is being cast across your security measures. The latest ISP to feel the heat is KC’s sibling Eclipse Internet, which makes no attempt to hide their customer’s user password when they login to check the broadband providers online account pages.

Admittedly this isn’t nearly as bad as KC’s own recent engineer security gaffe (here) or EE’s hacked-to-bits router shenanigans (here), yet it is still a problem and one that the ISP itself appears to have no problems with.

A Spokeswoman for Eclipse Internet said (The Register):

“Customers can view their password within our secure Eclipse customer portal only after they have logged in using their user name and password to authenticate their details. During the login process the password is not visible in plain text.”

Most reputable ISPs know that the password field in any form should generally be replaced with stars (not shown as plain text), unless the end-user specifically elects to uncover the field (web browser often give this option when typing your password into a box). One reason why this is desirable is to help prevent over-the-shoulder style data snooping by a third party.

But in Eclipse’s case the user password (note: not DSL password) becomes visible to anybody looking at the monitor when customers browse to their “User Details” page. We’re sure that Eclipse aren’t the only company to make little mistakes like this and it can make life easier for the user, although it’s also a risk and a few simple tweaks might easily make the form more secure.

Meanwhile as a rule we’d always recommend not even accessing private pages or account details until you’re on a home PC where the environment is hopefully more controlled. At the end of the day nothing is 100% secure but a little prudence goes a long way to keeping your vital data safe from prying eyes.