Passwords: Difference between revisions

Back up to the Configuring Category
From AAISP Support Site
mNo edit summary
(65 intermediate revisions by 4 users not shown)
Line 1: Line 1:
__NOTOC__<indicator name="Configuring">[[File:menu-configure.svg|link=:Category:Configuring|30px|Back up to the Configuring Category]]</indicator>
This is a general page to explain the various passwords that may be associated with a service from AAISP, where they are used and how to change them.
This page describes the various account logins and '''passwords''' that apply to our various systems. Different systems have different levels of password security depending on the requirements.


When changing passwords always be sure to use a secure password! Most of our systems have a 'Generate Password' button which you can use if you wish. The [[Information Pack]] contains some of your account details.
Generally, when the 'systems' automatically generate a password they are based on [http://xkcd.com/936/ xkcd.com/936]


Click the 'Expand' link to view the details.
==Accounts System Passwords==

===About===
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
The Accounts System is where you can view your invoices, set up Direct Debits etc. You can log in via: [http://aa.net.uk/login-priceless.html]
|'''Control Pages (Clueless)'''
|-
|
==About==
The DSL login is used to access the Control Pages as well as what you use in your DSL router to log in to the Internet. This uses the xxx@a or xxx@a.1 style username.

Our control pages are used to manage services and access technical information. They are also the means to set, and where appropriate, to view other passwords as detailed below.

As with the accounts password, the associated email is crucial and someone with access to the email could use a password change request to change the password and access the control pages. This then gives access to all of the other control pages passwords.

==Notes==
*Staff cannot see the password you have picked, it is hashed internally.
*Staff cannot set a password for you, you have to use the password change process (described below).
*Staff are able to invalidate your password if you request, and you should advise staff if you think the password is compromised.

==Changing Password==
A new password can be requested via: [https://control.aa.net.uk/newpass.cgi https://control.aa.net.uk/newpass.cgi]
*Enter in your email and login (Staff can send you a reset email manually if you ask them)
*Check your email for an email from us
*Click the link in the email
*Review the instruction on that page, and then click the 'Set Password' once you're happy with the new password
*Log on to the Control Pages with your new password

==Two factor authentication==
2FA is available, see below.

|}
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
|'''Accounts System Password'''
|-
|
==About==
The accounts system login and password are used to allow access to the accounts, statements, and invoices. This is a very important password as we trust that any orders placed with the correct account number and password are genuinely from you or your organisation, and more importantly, from someone that is authorised to spend money with us. This password can be used to order services as well as changing or ceasing existing services.

The email address associated with the account is crucial. Someone with the ability to read emails sent to that email address could read password reset emails and change passwords and then place orders. You need to ensure that you use an email address that you trust to be secure.

The Accounts System is where you can view your invoices, set up Direct Debits etc. You can log in via: http://aa.net.uk/login-priceless.html


The username is your Account Reference - typically AnnnnA, where nnnn are numbers.
The username is your Account Reference - typically AnnnnA, where nnnn are numbers.


==Notes==
Typically, passwords are created automatically by the system and emailed to the email address on the Account.
*Staff cannot see the password you have picked, it is hashed internally.
*Staff cannot set a password for you, you have to use the password change process (described below).
*Staff are able to invalidate your password if you request, and you should advise staff if you think the password is compromised.


===Changing Password===
==Changing Password==
The password change process is used to set a password, and can be used if you have forgotten your password or simply want to change it. You can use the forgotten password link to request the password change email, or you can ask a member of staff to send it to you.
The way to change the password is for the Accounts system to generate you a new, this is done via the 'Forgotten Password' link: https://accounts.aa.net.uk/aal/newpass.cgi


#The password change email is sent to the email address we have for the login. It contains a web link.
==Email Passwords==
#The link can only be used on the day of issue, and only until the password is changed or invalidated.
===About===
#The link is to a secure web site, so that any passwords shown or entered are not visible in the Internet.
The username for email is your full email address.
#'''Clicking on the link shows the proposed password clearly on the screen''', so ensure you are not overlooked.
#If the proposed password is not one you can remember, or on rare occasions is inappropriate or rude, you can select pick another
#When you are happy, select '''Set password''' to set the password. It is displayed, and you can then login if you wish.
#*We strongly recommend using the passwords we suggest as they are random and avoid any association with you or the account. You can, if you wish, enter your own password. If you want to do this, please ask staff and they will show you how. However, entering a password can lead to poor passwords, and password re-use which are not a good idea.
#You will then get a second email confirming that the password has been changed. (The password is not included in the email)


==Two factor authentication==
===Changing Password===
2FA is available, see below
There are 2 ways:

* Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your current email address and password, then click on the Change Password link.
|}
* Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login - this will give you access to all your AAISP services, and you'll have access to change Mailbox passwords too.
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
|'''DSL Line Password'''
|-
|
The line password is related to a broadband line, or data SIM or L2TP Internet access. It is considered very low priority as such systems are rarely used as an attack. When using broadband lines or data SIMs, we normally see a verified circuit ID and as such we will allow a correct login with an incorrect passwords if the circuit matches. The password is also included in the information pack and printed on router information cards to make it easy to configure network equipment - which is especially important when you have no Internet connection.

The username used for a line is in the form of xx@a.n where n is the line number, typically 1 where there is just a single line. e.g.: abc@a.1

==Notes==
*The password can be viewed on the control pages.
*The password is printed and included on information packs and router information cards.
*The password can be set as you wish, but a generate password button is provided for convenience.

==Changing Password==
#Log in to the control pages with your Control Page credentials
#Click on the line you want to change the password of
#Enter a new password, us use the 'Generate Password' to create a new one.
#Click OK
#Change the password on your router/equipment to use the new one

|}
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
|'''Email Password'''
|-
|
==About==
The username for email is your full email address.

Whilst the email password, used for POP3, IMAP, and authenticated SMTP, may seem relatively low importance, it is not. Email systems are the underpinning of most security as explained above. Unauthorised access to email can allow people to change and access a range or other system's passwords. As such the email passwords have some security.

==Notes==
*Staff cannot see the password you have picked, it is hashed internally.
*Staff can set a different password for you, although we'd suggest that customers set this themselves.
*When a Mailbox is deleted passwords hashes are removed within 24 hours.

==Changing Password==
You can set an email password on the control pages, but we recommend using the generate password link to pick one randomly when you do this, for added security.

You can record a reminder for the password if you wish. You should consider security and try to ensure this is not too obvious!

# Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your current email address and password, then click on the Change Password link.
# Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login - this will give you access to all your AAISP services, and you'll have access to change Mailbox passwords too.


More on information on the [[Change Email Password]] page.
More on information on the [[Change Email Password]] page.


|}
==SIP Passwords==
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
===About===
|'''SIP/VoIP Password'''
In order to register a VoIP phone against our servers you'll need a password!
|-
|
==About==
In order to register a VoIP phone against our servers you'll need a password.


VoIP passwords are considered to be slightly higher security because they can be used with equipment to make chargeable calls. However, the main attack for VoIP passwords is to compromise terminal equipment and either use it directly or access the password and login details it is using. Unfortunately the underling protocol prohibits hashing this password internally. However it is usual for only one device to be configed with each VoIP login, and so reasonable that the password is settable but not visible. We also have in place a number of precautions and warning systems to track if VoIP passwords have been compromised.
===Changing Password===

==Notes==
*The password can be viewed on the control pages, but it is not hashed in our internal systems.
*The password can be set as you wish, but a generate password button is provided for convenience.

==Changing Password==
Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login, you'll see the list of numbers, click on the one in question, click on the Incoming tab, and set the password there.
Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login, you'll see the list of numbers, click on the one in question, click on the Incoming tab, and set the password there.


Read more about [[VoIP Security]]
Read more about [[VoIP Security]]


|}
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
|'''Web Page Hosting Password'''
|-
|
==About==
If we host your web pages, then you use FTP to transfer files to our servers. Web pages are not often targeted on our systems but can be a target for attack to display political or other messages. As such we consider this to be a slightly higher security.


The username is the full domain, e.g. www.example.com
==Web Page Hosting==
===About===
If we host your web pages, then you use FTP or rsync to transfer files to our servers.


==Notes==
The username is the full domain, eg www.example.com
*Passwords are part of our DNS control pages
*Staff cannot see the password you have picked, it is hashed internally.
*Staff can set a different password for you, although we'd strongly suggest that customers set this themselves.


===Changing Password===
==Changing Password==
Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login, click on the Domain in question, and edit the 'DNS Record' called Password.
Log in to the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a login, click on the Domain in question, and edit the 'DNS Record' called Password.


|}
==Supplied Router WiFi Password==
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
===About===
|'''Supplied Router WiFi Password'''
|-
|
==About==
If you have a router supplied by AAISP then the WiFi password will be printed on the card on the base of the router and can also be found in the [[Information Pack]].
If you have a router supplied by AAISP then the WiFi password will be printed on the card on the base of the router and can also be found in the [[Information Pack]].


The router WiFi password is considered relatively low priority. It is possible for someone to attempt to hack your WiFi, so we do suggest a good password, and the system will try to generate a reasonably memorable password with additional digits to provide extra entropy.
===Changing Password===

==Notes==
*The password can be viewed on the control pages.
*The password is printed and included on information packs and router information cards.
*The password can be set as you wish, but a generate password button is provided for convenience.

==Changing Password==
There are 2 ways of changing the password:
There are 2 ways of changing the password:
*Log in the the router and change the password
#Log in the router and change the password
*Log in the the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a, click on the Line in question, click the [[Router Settings Page|Router Settings page]], change the WiFi password and then click 'Send Configuration' - This will overwrite any changes you may have made since the router was originally configured by AAISP.
#Log in the [http://aa.net.uk/login-clueless.html Control Pages] with your main xxx@a, click on the Line in question, click the [[Router Settings Page|Router Settings page]], change the WiFi password and then click 'Send Configuration' - This will overwrite any changes you may have made since the router was originally configured by AAISP.


More information on the [[Router Settings Page]]
More information on the [[Router Settings Page]]
|}
{| role="presentation" class="wikitable mw-collapsible mw-collapsed"
|'''Supplied Router AdminPassword'''
|-
|
==About==
The router admin password is considered relatively low priority. It is rare for any directed router attack using a password. The password is included in the information pack and printed on router information cards to make it easy to access the router even when no Internet connection.

==Notes==
*The password can be viewed on the control pages.
*The password is printed and included on information packs and router information cards.
*The password can be set as you wish, but a generate password button is provided for convenience.


|}




== Two factor authentication information ==
We have an optional system of two factor authentication (2FA) on our accounts and control web pages.

=== What does that mean? ===

What this means is that, if you set it up, in addition to a simple username (or account number) and password, we will request a code from you. Without the correct code you cannot log in to the web site.

The way to get the code is using a mobile phone app, there are many, but Authy, or the Google Authenticator seems a perfectly good ones.

It is nothing to do with google and does not need any google login. There are many apps, and if you want a different one you are looking for one that does OATH/TOTP to RFC6238, ideally one that will read an otpauth:// URL on a QR 2D barcode for the seed.
=== How does it work? ===

When you ask to set up 2FA there is a simple process that involves a QR 2D barcode shown on the screen which you scan with the app, and you are ready to go. Some apps allow a PIN or fingerprint to be set up to protect seeing the code (the Google one does not). Once the app is open it shows a new code every 30 seconds on the screen. You can usually set up multiple different accounts on the app. You can set up the same code on multiple devices, and some apps manage backup and sharing between devices. You don't need mobile coverage or internet access on your phone for the code to be shown. It really is that simple!

When you log in, you use your username and password and then we may prompt for the code - you simple enter the 6 digit number from the app screen.
=== When is a code required? ===
When you set up 2FA on the accounts system we also have a trust setting which you can change. This controls when we will ask for the code during a normal log in to the accounts web site. There are different settings which control when and if we will ask for the code. The standard setting will not normally ask for a code if you are using your usual browser but you can set it up to ask every time if you want.

If you have set up a code, then we will always ask on our normal order pages for services like Broadband, Telephony (VoIP), SIM cards, and so on, regardless of the trust level set. There may be some services which do not yet ask but we are aiming to update these as needed.

On the control pages, once set up, we always ask for the 2FA code on every login.

We also email you when we see a new browser used to login, just in case this is someone trying to compromise your account.
=== Will staff ask for the code? ===

Yes, staff may ask for the code if you have set up 2FA on the accounts pages - remember it is not actually your password and it changes every 30 seconds. Staff can check the accounts 2FA code, and so asking for the code can be an important security check. Staff can also see the trust setting you have applied on the accounts system, and if you have selected the highest security (paranoid mode) then additional checks be required. This could be over the phone, or irc, or the web-chat, or twitter, or whatever. You can actually use this to test staff (e.g. if we called you), giving a wrong code to confirm we see it as wrong.

Also, if you are asking staff to handle an on-line order for you over the phone, etc, they will need your code to proceed with the order. If you have a dealer that places orders for you, he too will need your code to place an order. But all of this only applies if you have set up two factor authentication on the accounts system - if not, then the normal username and password are used as now.

Staff cannot check the 2FA code you have set on the control pages, and so will not ask for this.
Setting up...

Setting up the code is simple - log in as normal and you will see an option to set up 2FA. Simple follow the instructions.

https://www.youtube.com/watch?v=Jr-d0m9wgcc&feature=youtu.be

Note the process has changed slightly since this video was made.

=== Losing your mobile ===

We know things can go wrong, but if you have set up two factor authentication this indicates you are taking security seriously. You will have to convince staff you are who you claim to be, which will, in part, depend on the trust setting you have selected. Setting the lowest trust means you will not be able to get the code cleared or reset over the phone or email and may need a letter sent! However, if you have set a more conservative trust setting then staff may text you a code, or call you back on your number, etc. Bear in mind, texting your code is often no good if you actually have lost your mobile!

This does not impact the router login to your broadband line or VoIP services, etc, only the accounts and control web pages and ordering systems.
Changing password


Once 2FA is set up you will need to use it when changing password, and on our control pages you also need your old password. If you need your password reset, which will also reset the 2FA, you will need to contact a member of staff.


[[Category:Control Pages]]
[[Category:Configuring]]

Revision as of 11:37, 2 October 2019

This page describes the various account logins and passwords that apply to our various systems. Different systems have different levels of password security depending on the requirements.

When changing passwords always be sure to use a secure password! Most of our systems have a 'Generate Password' button which you can use if you wish. The Information Pack contains some of your account details.

Click the 'Expand' link to view the details.



Two factor authentication information

We have an optional system of two factor authentication (2FA) on our accounts and control web pages.

What does that mean?

What this means is that, if you set it up, in addition to a simple username (or account number) and password, we will request a code from you. Without the correct code you cannot log in to the web site.

The way to get the code is using a mobile phone app, there are many, but Authy, or the Google Authenticator seems a perfectly good ones.

It is nothing to do with google and does not need any google login. There are many apps, and if you want a different one you are looking for one that does OATH/TOTP to RFC6238, ideally one that will read an otpauth:// URL on a QR 2D barcode for the seed.

How does it work?

When you ask to set up 2FA there is a simple process that involves a QR 2D barcode shown on the screen which you scan with the app, and you are ready to go. Some apps allow a PIN or fingerprint to be set up to protect seeing the code (the Google one does not). Once the app is open it shows a new code every 30 seconds on the screen. You can usually set up multiple different accounts on the app. You can set up the same code on multiple devices, and some apps manage backup and sharing between devices. You don't need mobile coverage or internet access on your phone for the code to be shown. It really is that simple!

When you log in, you use your username and password and then we may prompt for the code - you simple enter the 6 digit number from the app screen.

When is a code required?

When you set up 2FA on the accounts system we also have a trust setting which you can change. This controls when we will ask for the code during a normal log in to the accounts web site. There are different settings which control when and if we will ask for the code. The standard setting will not normally ask for a code if you are using your usual browser but you can set it up to ask every time if you want.

If you have set up a code, then we will always ask on our normal order pages for services like Broadband, Telephony (VoIP), SIM cards, and so on, regardless of the trust level set. There may be some services which do not yet ask but we are aiming to update these as needed.

On the control pages, once set up, we always ask for the 2FA code on every login.

We also email you when we see a new browser used to login, just in case this is someone trying to compromise your account.

Will staff ask for the code?

Yes, staff may ask for the code if you have set up 2FA on the accounts pages - remember it is not actually your password and it changes every 30 seconds. Staff can check the accounts 2FA code, and so asking for the code can be an important security check. Staff can also see the trust setting you have applied on the accounts system, and if you have selected the highest security (paranoid mode) then additional checks be required. This could be over the phone, or irc, or the web-chat, or twitter, or whatever. You can actually use this to test staff (e.g. if we called you), giving a wrong code to confirm we see it as wrong.

Also, if you are asking staff to handle an on-line order for you over the phone, etc, they will need your code to proceed with the order. If you have a dealer that places orders for you, he too will need your code to place an order. But all of this only applies if you have set up two factor authentication on the accounts system - if not, then the normal username and password are used as now.

Staff cannot check the 2FA code you have set on the control pages, and so will not ask for this. Setting up...

Setting up the code is simple - log in as normal and you will see an option to set up 2FA. Simple follow the instructions.

https://www.youtube.com/watch?v=Jr-d0m9wgcc&feature=youtu.be

Note the process has changed slightly since this video was made.

Losing your mobile

We know things can go wrong, but if you have set up two factor authentication this indicates you are taking security seriously. You will have to convince staff you are who you claim to be, which will, in part, depend on the trust setting you have selected. Setting the lowest trust means you will not be able to get the code cleared or reset over the phone or email and may need a letter sent! However, if you have set a more conservative trust setting then staff may text you a code, or call you back on your number, etc. Bear in mind, texting your code is often no good if you actually have lost your mobile!

This does not impact the router login to your broadband line or VoIP services, etc, only the accounts and control web pages and ordering systems. Changing password

Once 2FA is set up you will need to use it when changing password, and on our control pages you also need your old password. If you need your password reset, which will also reset the 2FA, you will need to contact a member of staff.