Google Storing WLAN Passwords In the Clear

First time accepted submitter husemann writes "Micah Lee from the EFF filed a bug report about Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them. So far it's not known whether the passwords are stored encrypted at rest, but just the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely. Already one German university is concerned enough about this 'feature' that they issued a warning to their users."

more info

[slashmydots]

Strangely missing from the summary is the fact that this only affects Android devices, as far as I read in the article. While most phones allow you to easily "show" aka decrypt and view your wifi password for a network you hopped in ages ago, I happen to know that all desktops and laptops with Windows XP-7 do the same. They're also easily recoverable by third party instant decrypts too. So if you think plaintext or reversible encryption storage of passwords is the problem, that's all devices everywhere, with or without Google. The problem is Google actually having your password.

So what?

[__aawavt7683]

So what? Concern where concern is due. Do you really think that Google is going to be fetching your phone backups, hoping for a wireless password, then driving to your house and connecting to your wifi so that they can... sniff your traffic? Impersonate you on the internet?

How does this in any way matter? even if the password _were_ encrypted, it's reverseable encryption -- it _has_ to be. So they could just decrypt it, anyway. This is the same as on Windows: you can get a wireless key viewer that gives you the password of every network that Windows has memorized. Further, your computer is probably a great deal more accessible to anyone, especially those who are interested in your wireless network, than Google's phone backups.

As for those who are going to say, "Let the user encrypt it with a password!" ... most don't do that. Most people won't put one in, many will forget it if they do, you can't link it to a phone identifier because part of the purpose is in case the phone is lost, and part of the functionality is syncing to Google services -- so it has to be decrypted anyway. Wake me up again when Google syncs all the pictures you've taken with your camera to Picasa and posts them on your auto-created Google+. That'll be a fun day.

Situation may not be as it appears

[Zontar_Thing_From_Ve]

Looking at the comments in the first link in the original post is useful. One comment says that the only thing the panicked bug reporter knows is that the WLAN password was retrieved in the clear, but it could be that this information actually is encrypted but the retrieval decrypted it. In other words, things may not necessarily be as the original post and the bug reporter suggest. There is a chance that things are exactly as bad as suggested though. At this point only Google can say for sure how it is.

Re:Too much trust

[Grishnakh]

Not trusting any American companies with your data is of course prudent, in light of PRISM, however this doesn't mean your data is safe anywhere else either: if it's in France, Germany, or UK, they all have spying programs that are just as bad. And even if you keep your data in a relatively-safe country that probably has no spying at all, such as Switzerland or Iceland, that's no guarantee that the company hosting your data isn't just plain incompetent. If Google can make a mistake like this, anyone can.

Of course, since it's impossible to be 100% risk-free, it does make sense to try to mitigate that risk by avoiding obviously-bad choices, like using American companies.

Suspicion !== fact

[tomxor]

seriously what the fuck...

Title: "Google Storing WLAN Passwords In the Clear"

Post: "So far it's not known whether the passwords are stored encrypted"

fuck you "husemann", i don't care if this is about google or MS that everyone loves to hate, it's BS and so are you. by your logic I might as well make this post:

Airbags cause heads to fill with raisins and explode:

... it is not yet known if airbags cause heads to fill with raisins and explode.

Re:This is why I turned off backup

[Nerdfest]

The sad part is that Google damn near at the top of the privacy trust-worthiness scale. Almost everybody else is worse. If you really care about your privacy you need to avoid all hosted services and do everything yourself.

Re:Too much trust

[gl4ss]

What the fuck is the difference?

the difference is quite simple: with the french you can just treat them as normal eavesdroppers on your tcp connection. like some dude hanging on the same open AP. the solution to that is to just have encrypted connections to whatever service you want to use..

but with nsa and and ms/google/yahoo whoever.. it doesn't matter that your connection to them was encrypted, as they as your "business partner" sell the data off to nsa(forcibly, but they still get a buck). with them the only way is to not use their services - or any american hosted/owned services.

it's not a great difference, but a difference still.