Forgot your password?
typodupeerror
Encryption Electronic Frontier Foundation Security IT

Google Storing WLAN Passwords In the Clear 242

Posted by timothy
from the memory-tricks dept.
First time accepted submitter husemann writes "Micah Lee from the EFF filed a bug report about Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them. So far it's not known whether the passwords are stored encrypted at rest, but just the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely. Already one German university is concerned enough about this 'feature' that they issued a warning to their users."
This discussion has been archived. No new comments can be posted.

Google Storing WLAN Passwords In the Clear

Comments Filter:
  • Too much trust (Score:5, Insightful)

    by Linux User 33 (2988621) on Thursday July 18, 2013 @01:35PM (#44319551)
    I think this is perfect example again that we put too much trust on Google. They have repeatly broken that trust and yet some people continue to trust them. This data also goes directly to NSA and FBI. I think both FCC and European Commission should hit them hard, upto jailing the top executives.
    • by gl4ss (559668) on Thursday July 18, 2013 @01:38PM (#44319575) Homepage Journal

      you're wrong, they have time and time assured that the data doesn't go DIRECTLY to NSA. it goes through their servers, see, and they get to bill for it.

      • Correct. Meter the tap. That's why we have lobbies, my boy!

        Now, what is this item? "Central Services".... [youtube.com]

        "Have you got a 27B / 6 ?"

      • Re:Too much trust (Score:4, Interesting)

        by PopeRatzo (965947) on Thursday July 18, 2013 @03:53PM (#44321105) Homepage Journal

        the data doesn't go DIRECTLY to NSA. it goes through their servers, see, and they get to bill for it.

        And if there is one thing that history has taught us, it's that if they're giving your passwords to the government, then they're also selling it to the highest bidder.

        I thought about that with the Edward Snowden/Booz Allen stuff. Now Booz Allen is a firm that, besides the government, has a lot of private clients that hire them to do the data upskirting. If they're collecting stuff for the NSA, how much are you prepared to trust that none of that stuff is also going to their private clients. I know if I was some evil company looking for your personal data, and Booz Allen was my consultant, I'd be expecting a little "benefit" from their relationship to the NSA, know what I mean?

        The ugliest part of the corporate/government intrusion into our personal lives and information is the fact that so much of it is being privatized to companies who also work for other companies and maybe other individuals who all have their own reasons for wanting your shit.

        • by Darinbob (1142669)

          The real scandal will occur when the government refuses to pay their bills. Nothing gets the overlords madder than a failure to pay.

      • World was created five seconds AFTER this post. Writing it is false memory - implanted at moment that the physical universe WILL BE instantiated.

        I think I think, therefore I think I am. ;-)

    • Re:Too much trust (Score:4, Interesting)

      by kasperd (592156) on Thursday July 18, 2013 @02:07PM (#44319923) Homepage Journal

      I think this is perfect example again that we put too much trust on Google.

      Google isn't the problem. The American government is. Which means if you want to be safe, stay away from USA and don't trust any companies based there.

      If you happen to live there already, maybe it is about time you let the government know, you are not satisfied with their work.

      • Re:Too much trust (Score:5, Informative)

        by Grishnakh (216268) on Thursday July 18, 2013 @03:06PM (#44320625)

        Not trusting any American companies with your data is of course prudent, in light of PRISM, however this doesn't mean your data is safe anywhere else either: if it's in France, Germany, or UK, they all have spying programs that are just as bad. And even if you keep your data in a relatively-safe country that probably has no spying at all, such as Switzerland or Iceland, that's no guarantee that the company hosting your data isn't just plain incompetent. If Google can make a mistake like this, anyone can.

        Of course, since it's impossible to be 100% risk-free, it does make sense to try to mitigate that risk by avoiding obviously-bad choices, like using American companies.

        • by F.Ultra (1673484)
          While the UK, Germany and France seams to spy on the data travelling on their national fibers, there is as far as I know yet no indication that they also force companies to hand over user data at will like it's done in the US. Unless I missed something.
          • What the fuck is the difference?

            • by St.Creed (853824)

              Well,

              one set of governments is forcing you to smile and bend over, then takes whatever it needs. The other set takes whatever it needs but you don't know for sure that they do. Both are bastards but the first one is cruel to boot.

            • Re:Too much trust (Score:5, Informative)

              by gl4ss (559668) on Thursday July 18, 2013 @04:46PM (#44321623) Homepage Journal

              What the fuck is the difference?

              the difference is quite simple: with the french you can just treat them as normal eavesdroppers on your tcp connection. like some dude hanging on the same open AP. the solution to that is to just have encrypted connections to whatever service you want to use..

              but with nsa and and ms/google/yahoo whoever.. it doesn't matter that your connection to them was encrypted, as they as your "business partner" sell the data off to nsa(forcibly, but they still get a buck). with them the only way is to not use their services - or any american hosted/owned services.

              it's not a great difference, but a difference still.

    • by Darinbob (1142669)

      Just don't trust them, it's simple. First time I saw this option, I knew it was a terrible idea. Anything in "the cloud" should automatically viewed with skepticism and distrust, and even more so if it's Google. You can back up the data on your local computer instead.

  • by DigitAl56K (805623) on Thursday July 18, 2013 @01:40PM (#44319597)

    I turned off Backup on Android after discovering this. They're going to have to store them in the clear (or I guess reversible), so that the "backup" is reversible - i.e. you recover your backup or add a new phone to your account and it "just works" with your wifi.

    However, there's no in-between. I can't choose to backup certain things but exclude very sensitive things, like my wifi password and other credentials. Given what we know about government snooping and the constant notices of breached databases these days, I just don't want to use the backup feature at all, and anyone who does is taking a bit of a gamble IMO.

    Can't we have a sub-option to "also include credentials", at the very least?

    • by gstoddart (321705) on Thursday July 18, 2013 @01:43PM (#44319633) Homepage

      I turned off Backup on Android after discovering this.

      I turned it off before I ever knew this, because I'm increasingly finding that I don't trust Google -- either in intent or execution.

      All they want to do is collect all of your information and use it to sell advertising, they don't give a damn about your privacy.

      And that stupid Google+ might be the last straw since everything is trying to foist it on me and I have no interest in it.

      But, I gotta ask ... if we don't trust Microsoft and Google, who is left?

      • by DigitAl56K (805623) on Thursday July 18, 2013 @01:50PM (#44319711)

        But, I gotta ask ... if we don't trust Microsoft and Google, who is left?

        I am fine with trusting Microsoft and Google, and indeed anyone with a reliable infrastructure, to provide a backup hosting service that significantly improves the experience with my phone in the event of a disaster. I'm just not fine with entrusting them with access to the contents of those backups, especially when I may not even be aware of or have granular control over what is in them.

        A backup passphrase that only I know, and restricting processing to the client-side, would be sufficient to achieve this.

        • by gstoddart (321705)

          I am fine with trusting Microsoft and Google, and indeed anyone with a reliable infrastructure, to provide a backup hosting service that significantly improves the experience with my phone in the event of a disaster

          As random bits they can't decode, sure ... to access the entire contents of the backup and do with as they please because the ToS says so ... no freakin' way.

        • by gl4ss (559668)

          well the obvious answer to this would of course be a backup application that would encrypt that stuff and then upload it to google drive or office365 or dropbox or whatever. at least that is still an option on android, on windows phone not so much because.. eh.. only ms has needed access to the phone to do the backups of settings, contacts etc..

        • by Arker (91948) on Thursday July 18, 2013 @04:17PM (#44321339) Homepage Journal

          Here's the thing. Even if you encrypt the data before giving it to them, and dont keep the key (which is much harder to do than to say) so what? Do you really think any encryption algorithm you are going to use today will stand up to the tools available to script-kiddies in 5 or 10 years? You do understand that once you put something 'in the cloud' it's probably never going away, right?

          • by swillden (191260)

            Do you really think any encryption algorithm you are going to use today will stand up to the tools available to script-kiddies in 5 or 10 years?

            Yes.

            http://www.keylength.com/en/4/

        • by Darinbob (1142669)

          You can still trust me. Send me your data and I'll make sure no one will be able to retrieve it.

      • by dj245 (732906) on Thursday July 18, 2013 @02:18PM (#44320047) Homepage

        if we don't trust Microsoft and Google, who is left?

        Don't even think about trusting yourself. I made that mistake once, and I slipped myself some roofies and date-raped myself.

      • by Zalbik (308903)

        But, I gotta ask ... if we don't trust Microsoft and Google, who is left?

        Why, Apple of course!

        /sarcasm off

        • by the_B0fh (208483)

          You say that sarcastically, but from what I've seen, Apple seems to put more effort into security than others.

          • by Nerdfest (867930)

            Think again [eff.org]. When it's privacy related they're pretty much at the bottom. They do put a lot of money into marketing though, and based on profit margins, I'd have to say it seems to be a smarter choice than security and privacy related spending.

      • I turned off Backup on Android after discovering this.

        I turned it off before I ever knew this, because I'm increasingly finding that I don't trust Google -- either in intent or execution.

        Likewise. Nothing in particular against Google, but the number of entities in which trust is required should be minimized.

        I don't allow any passwords or other information to be "backed up" outside my own domain. All backups are local on our own servers and external disks. Remote administration is switched off for the router, and server administration is allowed only from specific LAN IP addresses (router not allowed). Passwords for external sites may be intercepted en route to their intended sites, but o

        • by Grishnakh (216268)

          It shouldn't be possible to intercept passwords by snooping on IP connections, as long as you're using encryption such as SSL, and not a shitty password-in-plaintext service like FTP.

          However, if the destination is compromised (NSA), there's nothing you can do about that.

      • by Grishnakh (216268)

        And that stupid Google+ might be the last straw since everything is trying to foist it on me and I have no interest in it.

        Google+ is exactly like Microsoft's Metro UI in Windows 8: it's a move to co-opt some big competitor (or someone they see as a competitor), by forcing a big change on their existing userbase in order to get them "used to" using this new service.

        With Metro, MS saw that the mobile world was passing them by with iOS and Android (and that everyone hated their crappy WinCE offerings before th

        • by gstoddart (321705)

          so they made up Google+, moved many of their existing services over to it which didn't really need it, and have used various ways to try to force users to use it, probably in the hope that they'll get tired of Facebook and just want to do everything on Google.

          I'm finding it is having the opposite effect ... I'm getting tired of Google.

        • by Darinbob (1142669)

          I don't really see that. But I only use Google+, never Facebook, and no other Google apps whatsoever. So I see Google+ as a standalone application with no ties to anything else, with no viable alternatives that do the same thing that I will accept.

          The only problem with it is that it's trying to lure me into using other bogus Google apps like gmail. It's not that Google+ is luring you to use it because you use other Google apps, but that EVERY google app is luring use to use every other google app. I rea

      • by Nerdfest (867930) on Thursday July 18, 2013 @04:45PM (#44321621)

        The sad part is that Google damn near at the top of the privacy trust-worthiness scale. Almost everybody else is worse. If you really care about your privacy you need to avoid all hosted services and do everything yourself.

    • by hawguy (1600213)

      I turned off Backup on Android after discovering this. They're going to have to store them in the clear (or I guess reversible), so that the "backup" is reversible - i.e. you recover your backup or add a new phone to your account and it "just works" with your wifi.

      However, there's no in-between. I can't choose to backup certain things but exclude very sensitive things, like my wifi password and other credentials. Given what we know about government snooping and the constant notices of breached databases these days, I just don't want to use the backup feature at all, and anyone who does is taking a bit of a gamble IMO.

      Can't we have a sub-option to "also include credentials", at the very least?

      Well, they could offer the option of letting the user set a backup password that is known only to the user (warning the user that if they lose the password, they lose their backups).

      Most home users probably won't use it, but those that care about security (like every corporation that uses Android devices) probably will.

      • Indeed, this exact option is available to iOS users.

      • And you would trust the encryption implementation to protect your data?
        • by hawguy (1600213)

          And you would trust the encryption implementation to protect your data?

          If I'm going to use the device at all, I have to have some level of trust that it's doing what they say it does. Whether they put in a checkbox that says "don't back up my credentials" or let me set a password so only I can decrypt the backups, if I don't trust the manufacturer that the software does what is says, I shouldn't be using the device at all if I'm worried about my privacy or security of my data.

          Even if I load my own cyanogenmod operating system that I have personally vetted, if I don't trust th

        • by F.Ultra (1673484)
          Depends, is this backup part of the open source Android or the closed one? The option seams to be available in modded roms so it might be open?
    • I think it's worth mentioning one other side-effect of this "send everything" backup policy: I basically cannot safely guest any visitor who has an Android phone onto my secured WiFi network without their phone sending my WiFi password straight to Google.

      This puts me in the awkward predicament of denying visitors WiFi access, or constantly changing the guest password on every device I have that uses it.

      If you're reading, Google folks, this is fricking annoying.

      • Ever consider a dual radio set up? That way, you can have your secure network, and an open net for guests.

    • by ethanms (319039)

      The problem I have with Android is the multiple ways and places you might be backing up data...

      There's Google holding all my email, contacts, calendars...

      Drop Box get's all my photos...

      Those are the choices I made, but then I have a T-Mobile branded backup application, one from "Locate", and another from HTC... where does this data end up? I have no idea... it's not obvious so I don't want to use it.

    • by Krojack (575051)

      Titanium Backup > build-in Google Backup

      Once I started using Titanium Backup I turned off the Google Backup. At least I have an option to encrypt my Titanium Backup's. It can backup/restore Wifi Passwords along with everything else.

    • by whoever57 (658626)

      I turned off Backup on Android after discovering this

      Unfortunately, that is not sufficient. I recently got a new phone and, despite my setting my old phone to not backup the passwords (some time after I started using the old phone), they were downloaded to my new phone.

      As far as I can tell, turning off the backup merely prevents the phone from sending more data to Google. Once Google has it, Google keeps it.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      very sensitive things

      okay...

      like my wifi password

      dafuq?

      Look, this is a password that is literally only useful within a few hundred feet of your house. Assuming that you're not re-using it for anything else, what exactly is your exploitation story, here? If I tell you that my wifi password is "frobulate" (it really is!), what are you proposing that you can do with that information, given that I'm some anonymous asshole on the internet?

  • by PvtVoid (1252388) on Thursday July 18, 2013 @01:43PM (#44319629)
    This kind of shit is exactly why, as soon as I got an Android smartphone, I also installed a second wireless router, with its own encryption password, outside my firewall. Anybody who wasn't already assuming that smartphones and tablets are anything other than hostile network actors is an idiot.
  • more info (Score:4, Informative)

    by slashmydots (2189826) on Thursday July 18, 2013 @01:45PM (#44319649)
    Strangely missing from the summary is the fact that this only affects Android devices, as far as I read in the article. While most phones allow you to easily "show" aka decrypt and view your wifi password for a network you hopped in ages ago, I happen to know that all desktops and laptops with Windows XP-7 do the same. They're also easily recoverable by third party instant decrypts too. So if you think plaintext or reversible encryption storage of passwords is the problem, that's all devices everywhere, with or without Google. The problem is Google actually having your password.
    • Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them.

      ...based upon the above, on what other platforms would you assume that Google has any sort of interaction with your WLAN passwords? I'm really curious.

      I mean, they're clearly stealing them by using their vans to read my dog's brain, but that's what the tinfoil hat is for. Not everyone has pets however.

      • Well, they have been caught sniffing out WLAN metadata with their street view camera cars in the past, breaking numerous laws in various countries in the process, so the idea that they could attempt to "accidentally store" plaintext WLAN passwords is not that far-fetched.

        No need for a tin-foil hat, though, when you can explain the behavior to a simple and straightforward "we don't give a fuck about the security of your data" attitude.

        • by TheCarp (96830)

          > No need for a tin-foil hat, though, when you can explain the behavior to a simple and straightforward
          > "we don't give a fuck about the security of your data" attitude.

          You are not wrong, but you are missing the point of the previous comment. The point was that unencrypted wifi passwords on PCs is not the same issue - because google doesn't generally have access to the unencrypted password on your PC. In fact its pretty unavoidable without going to smart cards.

          The android phone, on the other hand, is

    • by gstoddart (321705)

      Strangely missing from the summary is the fact that this only affects Android devices

      Do Google provide a backup service for anything else?

      I happen to know that all desktops and laptops with Windows XP-7 do the same

      Upload it to the cloud unencrypted? I don't think so.

      So if you think plaintext or reversible encryption storage of passwords is the problem, that's all devices everywhere, with or without Google.

      But made worse by the fact that on newer Android devices this is enabled by default, and uploads all

      • It's time to start assuming that you can't trust anyone with your data.

        FTFY.

        Welcome to the world of Johnny Mnemonic, minus the cerebral implants and Henry Rollins' terrible acting.

        • by gstoddart (321705)

          Welcome to the world of Johnny Mnemonic, minus the cerebral implants and Henry Rollins' terrible acting.

          *sigh* So, all of the dystopian future without any of the fun technology?

          • by idontgno (624372)
            Well, in all fairness, knowing now how the NSA works, you'd have to rewrite parts of "Johnny Mnemonic", becausee Jones the Dolphin would be an active NSA operative behind barbed wire and armed guards instead of a fun fair freakshow.
          • That seems to be the direction we're heading in.

            I guess if you want to be an optimist, you can take comfort in the fact they aren't using poor people as food... yet, anyway.

          • It could go Ghost in the Shell: Standalone Complex though.
  • by iYk6 (1425255) on Thursday July 18, 2013 @01:51PM (#44319723)

    the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely.

    That's not just nice, that's outright flattery. Seriously, who is surprised by this? Lots of cloud backup storage services don't let you encrypt data (or make it hard to do so), so why would it be surprising that Google, the mother of all data hoarders, would want to store and read this stuff?

  • What we know now about Si Valley's (sometimes lucrative) strange bedfellows, they need to prove it wasn't a 'feature' for their buddies.
  • I mean, WTF, Google? How did anyone who had any sort of clue at all think that it was acceptable to store data that is critical to my networks' (yes, several) in the clear when you copied it from their Android devices. Again, what the fuck?
  • Apple iOS (Score:5, Interesting)

    by EkriirkE (1075937) on Thursday July 18, 2013 @02:01PM (#44319853) Homepage
    While not storing cleartext, they do store your WiFi passwords in a reversible encryption. If using WPA I think they should just store the ssid:phrase hash instead of keeping the phrase. WEP can't be helped... Anyhow, Apple stores all passwords in their keychain and this is easily snooped. Jailbroken iOS devices can get "WiFiPass" to reveal all the AP & passwords its ever connected to. It's handy when I pass my device to an AP owner to "privately" enter their password but I want to associate more devices, I just load that program and see what it was and do it myself.
    • by blueg3 (192743)

      While not storing cleartext, they do store your WiFi passwords in a reversible encryption.

      Okay, let's get a few things straight here.

      First, "reversible encryption" is a stupid phrase. There are basically two kinds of encryption: symmetric encryption and asymmetric encryption. Symmetric encryption uses a single secret key to both encrypt and decrypt data. It's reversible (using the one key). Asymmetric encryption uses two keys: one key to encrypt and a different key to decrypt. It's also reversible, but the encrypt and decrypt operations can only be performed with the corresponding key. They're b

      • by EkriirkE (1075937)
        WPA handshake/crypto is done by hash of SSID+phrase, there is no need to store the original phrase but it is, as far as I can tell, for end-user convenience when changing your AP's SSID and not having to rekey the passphrase. Though on the client side I can't think of a reason for it... In the end, though, the hash can be considered the new passphrase but not exactly human-readable.
        Granted "reversible" is redundant when talking about encryption, I never implied a hash was reversible.
        • by blueg3 (192743)

          You only mentioned "reversible encryption", which is redundant. I added the bit about hashes because people are constantly confusing hashes with encryption.

          I specifically used the term "secret" because your password isn't necessarily your secret. In the case of WPA, for example, it's that generated hash that is the real secret. You could store that instead of the original password and it would be just fine. However, the secret is the piece of information that's used to access the network anyway. The fact th

  • Google supposedly hires the best of the best but they seem to make more than a couple school boy errors. So do they hire incompetent people or are they doing this for the NSA? I think I know what I'd pick.
  • Do no evil (Score:5, Funny)

    by sproketboy (608031) on Thursday July 18, 2013 @02:07PM (#44319921)

    But I guess they do a lot of stupid.

    • Yeah. I'm guessing this one is not malicious. Android has a lot of bugs, and when your system has a lot of bugs, it's going to have security problems (see also, Adobe, Java Applets, Microsoft, etc).
  • So what? (Score:5, Informative)

    by DrkShadow (72055) on Thursday July 18, 2013 @02:10PM (#44319945) Homepage Journal

    So what? Concern where concern is due. Do you really think that Google is going to be fetching your phone backups, hoping for a wireless password, then driving to your house and connecting to your wifi so that they can... sniff your traffic? Impersonate you on the internet?

    How does this in any way matter? even if the password _were_ encrypted, it's reverseable encryption -- it _has_ to be. So they could just decrypt it, anyway. This is the same as on Windows: you can get a wireless key viewer that gives you the password of every network that Windows has memorized. Further, your computer is probably a great deal more accessible to anyone, especially those who are interested in your wireless network, than Google's phone backups.

    As for those who are going to say, "Let the user encrypt it with a password!" ... most don't do that. Most people won't put one in, many will forget it if they do, you can't link it to a phone identifier because part of the purpose is in case the phone is lost, and part of the functionality is syncing to Google services -- so it has to be decrypted anyway. Wake me up again when Google syncs all the pictures you've taken with your camera to Picasa and posts them on your auto-created Google+. That'll be a fun day.

    • Re:So what? (Score:5, Interesting)

      by Zalbik (308903) on Thursday July 18, 2013 @03:49PM (#44321049)

      How does this in any way matter? even if the password _were_ encrypted, it's reverseable encryption -- it _has_ to be. So they could just decrypt it, anyway.

      Wrong. It could be encrypted with a key that only the user knew. With proper key choices Google would have no way of decrypting

      I know some people like to believe that if Google, the NSA, the Chinese or some other group really really wanted to, they could decrypt any encrypted information, even without the password.

      This is false. It is still infeasible for anyone to crack Triple DES info encrypted with a reasonable choice of keys.

      • by ancientt (569920)

        I'm glad to see a few rational thinkers on this forum, but that's not the end of the story. If the NSA or Chinese government really really wanted to see all you are up to, they wouldn't be trying to decrypt your password. They'd probably just hack into your system because they have 0-day hacks that you can't know about and install a keylogger. If you're really paranoid and you boot from CD and run everything from RAM, they can still install a physical keylogger if they care enough to get physical access. Th

    • Re:So what? (Score:4, Insightful)

      by whois (27479) on Thursday July 18, 2013 @03:55PM (#44321121) Homepage

      If you're a company and anyone associates to your corporate network using an Android phone, you've now got a problem.

      And how are you supposed to stop this with policy other than blanket banning android phones? Ignore the fact that google is "good guy google" and think about what happens if the database is somehow exposed to hackers, or if there is a malicious google employee who decides to sell 1.4 million wifi passwords?

    • by c (8461)

      Do you really think that Google is going to be fetching your phone backups, hoping for a wireless password, then driving to your house and connecting to your wifi so that they can... sniff your traffic? Impersonate you on the internet?

      Whether or not someone thinks they want to, the question I have is that if you're running a Google O/S, with a good chunk of your stuff available using Google software via Google products, why in the world would Google ever need your wifi password to access your wifi network?

      I

  • by Overzeetop (214511) on Thursday July 18, 2013 @02:13PM (#44319973) Journal

    This is why, at the end of each day, I use a sledge hammer to pound my phone, all my computers, my wireless equipment, and my ISP interface into little pieces and then put them all in a 3000 degree furnace before burying them in the backyard. Each morning I get up and install all new equipment, then reinstall everything from the original CDs, creating a day-unique username and password for everything. Sure, it takes a while, and costs a few thousand dollars a day, and restoring my 5TB movie server from backup is a pain, but it's the price I pay for convenience and privacy.

    • by rgbscan (321794)

      I call shenanigans. Everyone knows your department ran out of money after spending 2.7 million in taxpayer dollars doing this :-)

  • by Zontar_Thing_From_Ve (949321) on Thursday July 18, 2013 @02:25PM (#44320139)
    Looking at the comments in the first link in the original post is useful. One comment says that the only thing the panicked bug reporter knows is that the WLAN password was retrieved in the clear, but it could be that this information actually is encrypted but the retrieval decrypted it. In other words, things may not necessarily be as the original post and the bug reporter suggest. There is a chance that things are exactly as bad as suggested though. At this point only Google can say for sure how it is.
    • At this point only Google can say for sure how it is.

      Is the Google backup service in Cyanogenmod a binary blob?

    • by swillden (191260)

      One comment says that the only thing the panicked bug reporter knows is that the WLAN password was retrieved in the clear, but it could be that this information actually is encrypted but the retrieval decrypted it.

      Google uses SSL for basically everything, so it was almost certainly SSL-encrypted in transit.

  • by Anonymous Coward on Thursday July 18, 2013 @02:29PM (#44320189)

    I backup data to a server, I restore data to my phone. OMG!!! They are storing my data noes!!!! This is just fear mongering.

    Google Is providing a data backup service (which is opt-in at first boot) that backs up your data and you'd like them to encrypt the data then, what delete the key? Maybe have you type in a second password? Seriously, why make the android first boot process more cumbersome.

  • Suspicion !== fact (Score:4, Informative)

    by tomxor (2379126) on Thursday July 18, 2013 @03:40PM (#44320959)

    seriously what the fuck...

    Title: "Google Storing WLAN Passwords In the Clear"

    Post: "So far it's not known whether the passwords are stored encrypted"

    fuck you "husemann", i don't care if this is about google or MS that everyone loves to hate, it's BS and so are you. by your logic I might as well make this post:

    Airbags cause heads to fill with raisins and explode:

    ... it is not yet known if airbags cause heads to fill with raisins and explode.

  • This was revealed many places a while back. Dragorn of Kismet covered it back in 2010:

    http://blog.kismetwireless.net/2010/08/google-wifi-android-and-too-much-data.html [kismetwireless.net]

  • Well of course they're storing them in the clear. How else could they send them to the NSA?

Brain off-line, please wait.

Working...