
Chat app fined for plaintext passwords under GDPR - marcus_holmes
https://www.theregister.co.uk/2018/11/23/knuddels_fined_for_plain_text_passwords/
======
ahje
> The watchdog also wanted to avoid bankrupting the company. "The overall
> financial burden on the company was taken into account in addition to other
> circumstances," the authority noted.

Anyone bashing the GDPR for being too hostile towards startups and smaller
businesses should read this. Looks like the fine was almost a bit too low in
this case...

~~~
stass
On the other hand, they could have bankrupted them if they wanted to. Do we
really want the government to have that much say in whether businesses live or
die?

~~~
fao_
> Do we really want the government to have that much say in whether businesses
> live or die?

The company broke the law in a way that could have potentially harmed*
individuals (passwords are critical secrets, many users do not have more than
one, and so could lose their entire identity and maybe several years worth of
funds. Sure, you can say that is the fault of the user, but there is the
assumption of security here that was given by the company and not fulfilled).

If you rent a deposit box at a bank, with the assumption of safety, and it
turns out they leave all the doors unlocked, don't hire guards, and someone
came in and stole everyone's things and took them to the market, then closure
of the bank is absolutely deserved.

Conversely, if a prison gives the assumption of security, but doesn't hire
guards, or bother locking cells, and all the inmates walk out and some people
are killed, does the prison deserve to go bankrupt?

These examples are exaggerated, yes, but roughly similar in circumstance.
Hopefully enough to show that, yes, there are circumstances in which we want
the government to have that hold over companies.

Now, do we want governments to have restraint? Sure. But it seems clear to me
that they very openly are acting in restraint in this case. 20k EUR is a
pittance to what was potentially lost by the people involved in the breach.

* - (Indeed, in America and a few other countries with weak to non-existent social welfare nets, loss of identity and money is likely to lead to homelessness and eventual death for the person, if they do not have family to rely on).

~~~
saurik
> ...passwords are critical secrets, many users do not have more than one, and
> so could lose their entire identity and maybe several years worth of funds.
> Sure, you can say that is the fault of the user, but there is the assumption
> of security here that was given by the company and not fulfilled...

I have so little sympathy for this position that despite generally having been
pro-GDPR I no longer can support it if it is going to be used to encourage
users to do something fundamentally stupid :/. The reality is that if we are
going to make users think using one password is somehow ok then we need to be
using authentication protocols that don't involve sending that password to a
server in the first place: this is 2018, and challenge response takes like an
hour to implement; the idea that sending a critical password to someone in the
hope that they immediately hash it and store it is something that is somehow
protected is insane.

~~~
bryanrasmussen
I have little sympathy for the position that users just need to be not stupid
and do things differently like they have been told to do for the last 20 years
and yet have never done.

~~~
saurik
...but what they are doing will never actually be secure no matter how hard we
all cover our ears and scream into the void so we don't hear it when they keep
getting screwed over and over again. We can't actually make that secure no
matter how many passwords we hash, we can only attempt to mitigate some
fraction of the eventual carnage.

What we need to be doing is spending our time either on a _massive_ education
campaign or on technological solutions (like challenge response passwords,
which HTTP never added even while every other old protocol was carefully
adapting to get this right), not _entrenching_ the position that users should
be allowed to do the thing that will never ever ever be secure by putting up
laws that somehow make it look sane.

The point here isn't "shame on the users": the point here is "shame on
developers and lawmakers for working _against_ users by encouraging them to do
this horribly insecure thing rather than doing something sane". Seriously: how
about we instead make a law (with a GDRP-like lead up of multiple years to
"get ready for it") which says that "handling passwords at all isn't legal,
even in transit (whether on a third-party SSL termination service or on your
own servers)", and lets see how many _mere hours_ it suddenly takes the
Chrome/Firefox teams to come up with a real solution to this problem?

~~~
kiriakasis
[https://news.ycombinator.com/item?id=18380865#18381842](https://news.ycombinator.com/item?id=18380865#18381842)

Passwords will never die. also by outlawing them either you force everyone to
re-register to every site they want to visit or give all the power to single-
sign-on services like facebook and google.

------
da_murvel
They should have been fined more than a measly €20k in my opnion. As a
developer I'm deeply ashamed that people are still storing user passwords in
plain text. There is no reason behind this behaviour what so ever, other than
pure laziness ...

~~~
Grumbledour
When the breach was announced, they revealed that they did not store the
passwords themselves in plain text, but had a second store that did, so they
could prevent users from posting their passwords in chats. [0]

Still stupid, but at least the had good intentions, just bad execution.

[0] [https://www.golem.de/news/datenleck-warum-knuddels-seine-
pas...](https://www.golem.de/news/datenleck-warum-knuddels-seine-passwoerter-
im-klartext-speicherte-1809-136483.html) (in german)

~~~
crazygringo
Huh, that's actually... a decent-sounding intention.

 _Is_ there any way to do that in a secure manner? Because a hash says nothing
about the length of a password (and you certainly don't want to store the
length, which would make the attack space much smaller)... so if passwords are
anywhere, say, from 8-64 characters, then for each chat message you'd need to
hash every possible consecutive string of characters for every possible window
size separately, which if the hash is even remotely computationally intensive
could possibly turn into too much -- especially if being done on the server
instead of the client (in order not to expose the hash and salt).

Is this just something it's not possible to protect against?

~~~
y7
Easiest way is to do it on the client. The client has the plaintext password
anyway.

~~~
crazygringo
Good point.

But is _storing_ a plaintext password, even on the client, good practice? E.g.
in a browser that uses a cookie with something like a session ID to make sure
you're logged-in... is storing a plaintext password in localStorage considered
a valid security practice? I would have assumed not, although it's certainly
not close to as bad as storing it on the server...

~~~
xianb
if you store plaintext password on the client, you'd be one XSS attack away
from potentially having a lot of passwords stolen - best practice is to have
password in plaintext for a little as possible (there's some research on not
transmitting the password at all but I don't think there's anything widely
accepted like bcrypt is for password hashing
[https://en.wikipedia.org/wiki/Zero-
knowledge_password_proof](https://en.wikipedia.org/wiki/Zero-
knowledge_password_proof))

~~~
UncleMeat
You are already one xss attack away from having your session stolen or having
your credentials stolen or any number of other bad things. Passwords on the
client are fine.

~~~
anoncake
Unless the user uses the same password for other things, which is extremely
common.

------
detaro
previously
[https://news.ycombinator.com/item?id=18510203](https://news.ycombinator.com/item?id=18510203)

------
dethos
Even though the fine is low, at least this stuff is starting to get some
attention and offenders are getting fined.

------
netcan
The parts of gdpr that are fit-for purpose are the "non-regulator-ish" parts.
The laws which basically establish what is ilegal and what carries liability.

The (most visible) part that isn't fit for purpose are all the things which
gdpr solves by referring to a pseudo-contract between customer and website...
permissions.

The premise, that a user/reader of a website has a contractual relationship
with the website... this is madness. An average user's permissions on Google
or BBC does not represent their privacy preferences. They don't understand the
implications and expecting them to is silly.

That whole part of the legislation is doomed to (a) fail to benefit users and
(b) cause freedom problems. Freedom as in free market and also freedom as in
freedom and open platform.

It could) should be replaced with new rules governing online advertising
platforms. Most privacy issues gdpr addresses begin here anyway.

~~~
yorwba
I used to think like you until I heard my mother talk about the data her
gardeners' association collected on her and which they now had to explicitly
ask for due to the GDPR. The gardens are owned by the association and leased
to association members, while house, trees and other objects are property of
the member. So the association has an interest to ensure that there's
insurance in case e.g. of a fire, and my mother agreed. However, she did not
want to reveal private details such as the value the house was insured for,
and refused, which GDPR requires to be possible for all data that is not
absolutely required. Many other gardeners reacted the same way. In the end the
association settled for looking at proof that an insurance contract exists
without recording additional details.

Note that no online advertising platforms were involved, the data subjects
were not exactly technically literate (most are retirees) and GDPR helped them
greatly to protect their privacy.

The nice thing about GDPR is that all non-essential data collection needs to
be opt-in, so if someone doesn't understand the implications of a choice
presented to them, they can simply refuse to agree without negative
consequences. How many people accidentally opt-in to being tracked for
advertising when they have to individually allow each advertiser to do so?

------
petercooper
I wonder, though, whether this could also apply to email addresses or
usernames themselves. They are, after all, personally identifying information
too.

~~~
marcus_holmes
If you want to email someone, you need their email address. There is no way
around this. And yes, that means that the business needs to store email
addresses securely so that hackers can't harvest their database of customer
email addresses and spam them. This is good.

Usernames can be whatever the user likes, unless there is a good reason for
them to give their actual name. In which case, there is a good reason for them
to give their actual name. And then the business has a responsibility to store
the user's actual name securely, etc. This is good.

There is _no_ good reason for anyone to store passwords in plain text. Fining
people who do this is good.

------
HocusLocus
"And if you forget your 2FA hint, we can show you your password to jog your
memory..."

------
mtmail
Obligatory [http://plaintextoffenders.com/](http://plaintextoffenders.com/)
They collected 5000 domains already.

------
frankherbet201
but where is that fine goes ?

------
raverbashing
What, no 20Mi fine? No tar and feathering?

