T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security

T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.

Why?

[Roger W Moore]

Why would you store the first four characters of every password? Obviously, it is a serious security hole but what possible use is having four letters of a password for the company itself?

Re:

[93 Escort Wagon]

Probably as a "hint" they can provide to the customers who call and say "Help! I don't remember my password!" However that is an extremely stupid position to take.

Also, this quote was mind-boggling:

"I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear"

This person responded to a question regarding a demonstrably insecure practice basically with the tautological claim "it's not

Re:

[Zontar The Mindless]

Already tagged this story with famouslastwords.

Re:

[ZorinLynx]

This is definitely NOT a good reason to do this, but it's a possible explanation.

Some password policies have a rule that says your password can't be too similar to your last few passwords. It's easy to determine if your new password is similar to the last one, because you just entered the last one to change it. But without saving part of the plaintext there's no way to know (if a good hash algorithm is used) if the new password is similar to one used two passwords ago.

So maybe they're using to try to enforc

Re:

[TheRaven64]

His idea is that you start with the new password, unhashed. Then you permute it in various ways and hash it. If any of these permutations gives the old hash, then you reject it. If not, then you hash it, store it, and scrub memory very carefully to erase all copies of the permuted unhashed password.

Re:

[Calydor]

So save the OLD, no longer valid password for future comparison purposes.

Still a terrible idea (Oh hey, this one was 'sickofthis13', let's try 'sickofthis14') but better than keeping part of an active, valid password open for anyone to see.

Imagine if you found out that Trump's password started with 'make*****************' ... what do you think the full password is?

Re: Why?

[Anonymous Coward]

So the rep can say...i see the first four letters of your password are "abcd", please confirm the rest for me so I can better assist you. ðY

Re:

[alex3772]

They store it for authentication via telephone. If a customer calls them he has to authenticate himself by giving the call center operator the first four digits of the password.

Re:

[Z00L00K]

T-Mobile is now a prime hacker target.

Nothing like painting a target on your back

[slickwillie]

I think some (Russian) crackers might take this as a challenge.

That's outrageous

[DigitAl56K]

T-Mo have had problems with number hijacking/SIM-re-issue, malicious porting out of numbers to other networks, and now I find that they're storing passwords partially in plain text?

What the actual F, T-Mobile?!

Re:

[DigitAl56K]

Update: T-Mobile reps are denying storing them in plain text on Twitter so this may be a miscommunication gone out of hand.

Re: That's outrageous

[Type44Q]

You pigeon fucker

That just doesn't have the right ring to it, I'm afraid.

Re:

[retchdog]

That just doesn't have the right ring to it, I'm afraid.

hey, any cloaca will do in a pinch.

conference dedicated to passwords.

[phantomfive]

I feel like an entire conference dedicated to passwords is maybe a little too specialized. Apparently enough people disagree with me, though. I wonder what kind of research they are doing.

That's not really how passwords are cracked

[h33t l4x0r]

knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest.

Assuming the password database is leaked and someone wants to crack *just yours* I suppose they'll get it faster.
But if you used a good password it won't happen for a long time and by then hopefully you will have been alerted to the leak.

Re:

[complete loony]

Lets assume your password is made up of random characters from the entire 90(ish) printable ascii characters. An 8 character password has a 1 in 10^15 chance of any guess being correct. A 4 character password is only 1 in 10^7.

Chances are that your password doesn't use the entire character set, and probably contains a word to make it more memorable. So that the remainder of your password is partially predictable from the first four characters, which is even worse.

Sure you'd probably have to hack the passw

Re:

[h33t l4x0r]

Let's assume the passwords get cracked all at once. Against a dictionary or brute force, the easy ones will get cracked right away. The medium ones will take longer. The good ones will take forever. The first 4 being saved in plaintext doesn't really change that.

Re:

[complete loony]

Reducing your password strength by 10^7 is huge. Even the most intensive brute force search will crack passwords 10 million times faster.

Re:

[AHuxley]

Set a limit on the length of password actually used internally :) Let user type in a poem every time and have it accepted within the GUI.
A small set of data in plain text just got the time needed way down if the actual used pw length is near the plain text.

Add in years of discovered word lists and that time could go down more.

Re:

[h33t l4x0r]

Except that it doesn't do that in most scenarios. It only does it if the data has been leaked and someone wants your password specifically out of the millions that were leaked.

Re:

[complete loony]

If passwords have been salted, every password must be attacked separately anyway.

To put this in plain english, leaking 4 characters of the password might reduce the attack from something google couldn't do, even with all of their available CPU's, to something you can easily do on a single raspberry pi. That's the difference in computational complexity we're talking about here.

Yes, obviously this requires a data leak, and breaking the "encryption" method on the stored password fragment. But that's why we h

Re:

[Dutch Gun]

and by then hopefully you will have been alerted to the leak.

Companies have been known to sit on this type of information for many months, sometimes even *years*, so I'm not sure that's something we can rely on.

Front line reps clueless

[cascadingstylesheet]

Front line reps clueless, news at eleven. Maybe they use the first four for phone identity verification?

"AT LEAST" part...

[jtara]

Reading between the lines, it sounds like they store the entire password in plain text.

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for http://mein.t-mobile.at/ [t-mobile.at]

Now, it might be that the agent doesn't understand that passwords aren't normally stored in plain text. You don't "need" to store passwords in order for users to log-in with their password. But that's hard for non-technical people to understand.

They had to go out of their way if they've stored the first four characters in plain text! They'd need an additional attribute in a database table just for that, and I just can't imagine this happening without every developer within shouting distance noticing and objecting. There would have to be a very good reason, and there would have to have been a great deal of discussion and justification.

I would love to hear the "why" if this is actually the case.

You don't need the password in plain-text to deal with lost passwords. You have a protocol for the customer to prove their identity, and then you provide a way to reset the password - whether directly by the customer or manually be a customer service rep.

Please, every T-Mobile customer: please change your password RIGHT NOW to f*** + 12 random characters!

Re:

[Koutarou]

For certain types of authentication you do need to store plaintext passwords - the traditional two types of logins used for dialups/pppoe are PAP and CHAP. PAP allows you to have password hashes on the auth server but transmits plaintext on the wire/air. Conversely CHAP hashes on the wire/air but requires the plaintext password to be available on the auth server due to the nature of the protocol. You choose your points of vulnerability.

Re:

[pD-brane]

please change your password RIGHT NOW to f*** + 12 random characters!

I don't understand. "T-Mobile" are not 12 random characters.

Don't lots of sites do this?

[mattventura]

I sear every bank has some characters you can't use in a password and/or an unreasonably short maximum length, leading me to believe that there are far too many sites that either store in plaintext or have other glaring security flaws like not escaping user input.

Re:

[phantomfive]

Banks seem to favor "following the rules." Following the rules doesn't yield good security in software, because we haven't found the right rules yet. It's still a game of cat and mouse.

"Following the rules" works for physical security, and accounting for thousand of other peoples' money, but we've had literally thousands of years to figure out what rules to follow in those cases. Following outdated rules in computer security is bad practice.

Re:bank "passwords"

[jtara]

It's not the same. And I wish they wouldn't call it a password.

Many banks offer an additional level of protection, by allowing you to add a "password" to your account that you will be required to recite when contacting them by phone or doing business in an office.

It has nothing to do with your online account password.

Obviously, in order for the teller to verify it, they have to be able to see it.

Maybe T-Mobile used the first 4 characters of your login password for this purpose. If they did, it is BIZARRE an

It's so easy to do it right

[Tinsoldier314]

It's weird, I mean, it's like 3 lines of C# (and probably many other languages) to convert a string to a secure Pbkdf2 hash. Add some bounds checking and other DB nonsense (for a whole separate DB column for the password parts presumably?) and their approach is even more complex to implement. I'm sure someone could do it all in one line, the point is it's not hard to do it right, it's not like they saved hundreds of man-hours. It's like no one even cared.

Re:

[WaffleMonster]

It's weird, I mean, it's like 3 lines of C# (and probably many other languages) to convert a string to a secure Pbkdf2 hash.

Pbkdf2 is only as "secure" as the password it protects.

Re:

[Tinsoldier314]

Well in this case Pbkdf2 would provide at least 10,000 to 50,000 times more protection than their approach for the same password.

Re:

[WaffleMonster]

Well in this case Pbkdf2 would provide at least 10,000 to 50,000 times more protection than their approach for the same password.

So what?

Re:

[Tinsoldier314]

So what?

Not sure if you're trolling, unaware or making some sort of pedantic argument. Key stretching and adaptive hashing are considered best practice and here's a couple references to read up on including some from TFA. These solutions will partially mitigate the impact of weak passwords.

http://plaintextoffenders.com/... [plaintextoffenders.com]
https://codahale.com/how-to-sa... [codahale.com]
https://nakedsecurity.sophos.c... [sophos.com]

Cant guess mine!

[darkain]

My first four letters are "pass"... And I bet you already guessed wrong what my 8-character password is! Its really "passmark", because I love benchmarking so much.

Re:

[novakyu]

I might have believed you if you were an AC. But alas, you are not an AC and I can't believe you are that stupid.

What's even worse

[jetkust]

Is that they force you to sign up to a pointless account in the first place. There's a phone number, device ID, and a sim card. Why is this necessary? I'm prepay, and everything was fine without the idiotic accounts.

Interestingly enough

[Kojow777]

T-Mobile doesn't see that as a problem because it has "amazingly good security."

Only a few months ago T-Mobile's websites had a major security hole allowing hackers to access all kinds of information about users:

https://www.engadget.com/2017/... [engadget.com]

But they've been hacked. A lot.

[PeterGM]

There have been a string of security screwups from T-Mobile. From severe bugs to straight up data theft.

https://it.slashdot.org/story/18/02/23/2118227/critical-t-mobile-bug-allowed-hackers-to-hijack-users-accounts [slashdot.org]
https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/ [engadget.com]

A quick search for "T-Mobile data leak" provided numerous results to several instances. If this is their idea of "amazingly good" then yeah, I guess it is. After all "amazingly good" isn't exactly an empiric

T-Mobile security SUCKS!!!

[Locke2005]

Despite giving them instructions that all orders should use the password I selected, T-Mobile allowed some tweaker that stole my phone info out of my car to call their phone payment system and make 11 approximately 11 dollar payments to my account, each with a different stolen credit card number, presumably to test the numbers and see if they had been deactivated yet. I immediately called T-Mobile to inform them there had been a mistake, and other people's money had been deposited to my account, and they should reverse the transactions. They're response? "We can't do anything about those transactions until the card owner complains to us, and we can't even tell you any information about the accounts used for the payments because of privacy!" Seriously??? Of course, as the card holders noticed the fraudulent transactions, T-Mobile started fining me $35 for each transaction that didn't go through, then insisted that all payments be made IN CASH in person at a T-Mobile store since they couldn't trust me after all those payments I made didn't go through! That was after their customer support insisted the problem was with my bank and I needed to clear it up with my bank despite my repeatedly telling him none of the bad transactions were made from my account. He then made a note on my account saying "customer refused to cooperate" and hung up on me. So I switched to AT&T.

Re:

[Locke2005]

Yeah, that was another incident, when one of my credit card companies posted an unauthorized charge. "The charge was for a product delivered to an address on the east coast, but we can't tell you what address it was delivered too." Uh... you wan't me to pay for something, but you can't give me any details about the order? Sure, protecting yourself from liability when somebody decided to take justice into their own hands is more important that helping fix the problem of credit card fraud. (For the record, th

A fix

[joemck]

Now that we know they store the first 4 characters in plaintext, we can work around this easily enough. Simply put 1234 at the start of whatever password you want to use, and you'll have the same security as you would without the idiocy or the 1234.