T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security (vice.com) 11
T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.
Probably as a "hint" they can provide to the customers who call and say "Help! I don't remember my password!" However that is an extremely stupid position to take.
Also, this quote was mind-boggling:
"I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear"
This is definitely NOT a good reason to do this, but it's a possible explanation.
Some password policies have a rule that says your password can't be too similar to your last few passwords. It's easy to determine if your new password is similar to the last one, because you just entered the last one to change it. But without saving part of the plaintext there's no way to know (if a good hash algorithm is used) if the new password is similar to one used two passwords ago.
So the rep can say...i see the first four letters of your password are "abcd", please confirm the rest for me so I can better assist you. ðY
Nothing like painting a target on your back (Score:2)
That's outrageous (Score:2)
T-Mo have had problems with number hijacking/SIM-re-issue, malicious porting out of numbers to other networks, and now I find that they're storing passwords partially in plain text?
What the actual F, T-Mobile?!
Update: T-Mobile reps are denying storing them in plain text on Twitter so this may be a miscommunication gone out of hand.
