
TMobile confirms they store passwords in plaintext, don't see why it's a problem - dsr12
https://twitter.com/tmobileat/status/981418339653300224
======
Fnoord
"Well, what if your infrastructure gets breached and everyone’s password is
published in plaintext to the whole wide world?"

"What if this doesn't happen because our security is amazingly good? ^Käthe"

This is begging for it.

~~~
Poiesis
I can’t fault a low-level employee too much for enthusiastically defending
their company. I can’t expect someone at that level to know about sound
development practices.

What’s often lacking though is a clear path for reporting security issues to
people such as this representative. They don’t have a process to flag
something for the security team.

~~~
btown
If they're storing passwords in plaintext, the reason they don't have a
process to flag something for the security team is probably that there is no
security team.

------
chatmasta
This is a really common technique in the UK, especially with online banking.
“Enter the 1st, 4th, and 7th characters of your password.” Apparently the
point is to prevent replay attacks.

The problem with telecom companies is they have customers from a wide spectrum
of technical capabilities. Their systems need to be able to support the baby
boomer who calls support because they can’t remember their password, pin, or
something...

I’m not defending these practices by any means, but these society-spanning
institutions are facing challenges of balancing usability and security that
many companies do not need to worry about.

If a company wants to implement a system like this, fine. But please tell me
before I enter my password so I know not to reuse another password of mine.

~~~
matuszeg
Is it okay to sacrifice security because some members of society are either
too old/dumb/misguided/whatever to bother?

At what point do we just have to leave these people behind?

~~~
chatmasta
As long as the institutions are insured against fraud, they have a greater
incentive for usability than security.

~~~
lowtolerance
Yeah, but when they’re facilitating fraud...

------
joshmn
LunarPages, a large web hosting company, does this too and doesn't see why
it's a problem. It's terrifying.

~~~
Recursing
All the other sites on
[http://plaintextoffenders.com](http://plaintextoffenders.com) do

------
tejasmanohar
God, they're making matters worse--

    
    
      So, you never worked for us in Austria though. But thank you very much for sharing your opinion.
    

->
    
    
      Thanks for stating that you seemingly haven’t understood what we’re trying to tell you.
    

->
    
    
      Oh, I do get it. I hope you enjoyed my response

------
Poiesis
One possibility could be that they store only the first four characters
plaintext, and keep a hash of the whole password (which is also bad).

I wonder how this feature came to be? What were those meetings like?

~~~
johnvanommen
Is this TMobile USA? I worked in engineering when they were still Voicestream
Wireless. We were acquired by Deutsche Telekom and rebranded as TMobile. We
had virtually no interaction with the European "T-Mobile."

~~~
r3bl
Ummmm... the link in this thread leads to a verified "T-Mobile Austria"
Twitter account, so what do you think?

Every T-Mobile (including the US one) is owned by Deutsche Telekom, but most
of its subsidiaries are named differently. For example, Macedonian is called
"Makedonski Telekom" instead of "T-Mobile Macedonia".

------
MR4D
Can we please pass a law to make it criminally negligent if you store
passwords in plaintext?

This needs to end. Kinda like building a bank without locks. Insane.

~~~
boodrizz
How is it at all like building a bank without locks? It jeopardizes users who
reuse passwords which has been a security faux pas since passwords. I feel
like people dwell on this pattern of hashing passwords to show off that they
know what hashing is. In the age of weekly leaks and multi gig dictionaries,
assume your password is in a dictionary if not really long, high entropy, and
unique to that site. Even the "gotcha" xss someone demonstrated on T-Mobiles
site has nothing to do with this. If somebody has every password, they won. If
they have your hash table, they still won. Yes, passwords would have to be
changed site-wide, but you'd want to do that either way. At least since it's a
phone company, they would know how to reach you. It's embarrassing to see
another post of developers harassing a social media pr person.

~~~
MR4D
Because it’s a minimum level of due care. Not meeting a minimum level is
called negligence.

I think most people would agree that in this day in age, leaving passwords in
plain text is like not even making the effort.

If you didn’t lock the doors on a bank, that would be the same thing - not
making an effort, even though many criminals can pick a lock. So yes, the
analogy holds up.

------
trisimix
Whats stopping someone from creating a list of what strings trslate to each
hash

~~~
mundo
[https://en.wikipedia.org/wiki/Salt_(cryptography)](https://en.wikipedia.org/wiki/Salt_\(cryptography\))

~~~
Recursing
[https://github.com/crypto101/book/blob/master/Crypto101.org#...](https://github.com/crypto101/book/blob/master/Crypto101.org#modern-
attacks-on-weak-password-systems)

While that was true before GPUs

>To a modern attack, salts quite simply don’t help.

Everybody should really move to key derivation functions (ideally scrypt)

~~~
thisacctforreal
What parameters do you recommend?

Is N=14, r=8, p=1 good enough?

~~~
nyxxie
The usual answer is to choose the parameters in such a way that targets the
largest verification time that your servers can stand. I'm not aware of a
recommended minimum value. In general, though, you're making a pretty good
choice by choosing bcrypt, and so long as you're using the above you should
have _far_ better security as compared to sha*/md5/etc

------
alex_duf
So does Plusnet in the uk

~~~
alex_duf
Here's the proof (it's my tweeter account)

[https://mobile.twitter.com/alex_duf/status/61472768376378163...](https://mobile.twitter.com/alex_duf/status/614727683763781632)

Re-reading myself, I should have been more polite and less smug I think, the
community manager never asked for that.

~~~
jonnismash
The company sure did, I think you handled yourself fine.

------
trisimix
Ag fuck Shoulda randomized

------
dkonieczek
Here comes the damage control
[https://twitter.com/TMobileHelp/status/982334382806454272](https://twitter.com/TMobileHelp/status/982334382806454272)

Hoping this blows up. Time to short.

~~~
Ajkaz
I'm wondering. Why would encrypting the password be any more worse than
hashing ? If the private key of encryption is well kept, I don't see why they
couldn't do that.

I understand though that no one being able to know the password except the
user is utmost security, but why not encrypting it ?

~~~
Kalium
Long story short, an encrypted password can be decrypted. There is no
reasonable scenario here under which this is preferable to a non-decryptable
hash. This creates a scenario where the only possible outcomes that are added
involve security breaches of password texts.

