[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comcast storing WiFi passwords in cleartext?

On Thu, 25 Apr 2019 at 20:17, Doug Barton <dougb at dougbarton.us> wrote:

> There are two mindsets that desperately need changing in the tech world:
> 1. Do not store data that you don't have a legitimate requirement to store
> 2. Do not store anything even remotely sensitive in the clear

#2 might be quite complex

There might be all kind of instrumentation built by people who don't
realise or have no easy ability to discriminate what is sensitive
data. Like someone might build really great JVM/Beam/GraalVM
instrumentation to monitor for performance regressions and deep
analytics, some of the analytic data collected potentially could be
sensitive. Or you might have some database where you store all
exception traces and core dumps and machine analyse them, those could
contain sensitive data. Or you could have analytics on UX, how people
interact with the software. Or you could have internal network
tap/sflow with decryption to better understand where network I/O
bottlenecks are or something else that can't even think of now, but
will be obvious after I read about it.
Looking at the late Facebook 'clear text PW', it doesn't read to me
like they had user auth data in database in plain text, it reads to me
like they had some debugging on for one specific application, and
people using that application to authenticate to facebook had their PW
with other debugging data stored somewhere.

I don't think it's tenable to hope that your sensitive data is being
handle as sensitive data or assume it is outlier when it is not. I
assume every sufficiently large and old company has my password stored
somewhere in clear text right now without them realising it and they
might come public when they realise it in few years time.
We're particularly vulnerable when we think it as simple problem as
hash in database and we would never do something so stupid as store
cleartext in DB.