I have a Plusnet mobile SIM. I was out and about the other day, and wanted to check my account. I don’t have the app, so went to the mobile site to login. The login form is pretty standard.
I didn’t recall what username I’d used. I use an algorithm to set a different password for each site, so that should be ok. I tried mobile number, email address, and my two options for non-email usernames. None of them worked. Worse, I wasn’t even sure that my subsequent attempts were being sent to the server.
That error message appeared, and when I then tried different credentials, I couldn’t see anything happening. I hit the ‘x’ to delete the message, tried again, and nothing happened. The error did not reappear to tell me that the new attempt was wrong as well.
I also found that sometimes on a first attempt to login, I would get the following screen, which makes no sense.
I gave up.
Next day, I checked my old emails to see if I could find the username. I did. It turned out to be an 8 digit number set by Plusnet, and you can’t change it to anything you can remember. This is lunacy. It ensures that customers will have to have their username written down somewhere, which is what we’re all told not to do.
Also, the password has to have a special character like +, ^, ! etc, which makes it even more likely that customers won’t be able to login.
It’s become quite clear that today, it’s not common for logins to be attacked by brute force. There are enough credentials available for sale on the dark web for it not to be worth the bother. Sure, there’s a base level of security you might want to impose, but what Plusnet are doing isn’t warranted. It’s user hostile.
And that’s not all. In your frustration of trying different usernames or passwords, and an unresponsive interface that doesn’t let you know it’s working, you’re likely at some point to end up with this.
I’d call that adding insult to injury.