A global phone service provider once had themselves called out on twitter for storing passwords in plaintext, one of their support reps replied with "What if we don't need to hash/salt the passwords because our security is that amazing?" 24 hours later someone found an XSS vulnerability in their login page.
Never take the security opinion of the poor social media manager that is just trying to deal with a deeply technical security question (to them at least) seriously.
I feel bad for the employee who answered this. They are not supposed to have intimate knowledge of security practices and taking their word at face value is demeaning to the security industry.
This doesn't make T-Mobile's practices any better, but it's best not to pile on the wrong person about it.
That was T-Mobile, the Austrian branch to be precise, but it led to a chain of asking T-Mobile branches in other countries if they do the same, even made its way to DTAG (the parent company in Germany).
This was really awful, especially considering the reaction from their marketing guys on twitter.
@c_pellegrino @PWTooStrong @Telekom_hilft Had the same issue with T-Mobile Austria. Apparently they are saving the password in clear because employees have access to them (you have tell them your password when you're taking to them on the phone or in a shop) and they are not case sensitive
Cruft driven development: it's case insensitive somewhere in our insane mess of tools and systems, therefore make it case insensitive in this instance for compatibility.
AKA "I don't have time to clean up my disaster of a living room therefore I can't pick up this pizza box."
I used to use 32-character alphanumeric random strings as answers to secret questions...until I had to read one over the phone.
Rep: Ok, so what street did you grow up on?
Me: Hold on, let me check the random answer in my password manager...
Password manager: ytuu^QoGZc5JQZ4BW3TuvH&w#jLlm%6T
Me: Fuck!
Rep (seeing the same thing on his end): laughter
Me: What if I just tell you it starts with y and ends with T?
Rep: Good enough.
Most/all ISPs have had to deal with Challenge-Handshake Authentication Protocol, which requires both sides to know what the password is, not just have something that can be computed from the correct password. It doesn't make the "our security is amazing" comment valid, but does explain why plaintext passwords exist.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
A global phone service provider once had themselves called out on twitter for storing passwords in plaintext, one of their support reps replied with "What if we don't need to hash/salt the passwords because our security is that amazing?" 24 hours later someone found an XSS vulnerability in their login page.
Ooof that is brutal
Never take the security opinion of the poor social media manager that is just trying to deal with a deeply technical security question (to them at least) seriously.
I feel bad for the employee who answered this. They are not supposed to have intimate knowledge of security practices and taking their word at face value is demeaning to the security industry.
This doesn't make T-Mobile's practices any better, but it's best not to pile on the wrong person about it.
That was T-Mobile, the Austrian branch to be precise, but it led to a chain of asking T-Mobile branches in other countries if they do the same, even made its way to DTAG (the parent company in Germany).
This was really awful, especially considering the reaction from their marketing guys on twitter.
I remember this! This was the thread obviously the offending party deleted their tweets though
How are they not even case sensitive? You'd almost certainly have to do extra work to make them not case sensitive?
Makes sense if employees have to read them over the phone, but sheeeesh. So brutal all around!
Cruft driven development: it's case insensitive somewhere in our insane mess of tools and systems, therefore make it case insensitive in this instance for compatibility.
AKA "I don't have time to clean up my disaster of a living room therefore I can't pick up this pizza box."
I used to use 32-character alphanumeric random strings as answers to secret questions...until I had to read one over the phone.
Rep: Ok, so what street did you grow up on?
Me: Hold on, let me check the random answer in my password manager...
Password manager:
ytuu^QoGZc5JQZ4BW3TuvH&w#jLlm%6TMe: Fuck!
Rep (seeing the same thing on his end): laughter
Me: What if I just tell you it starts with
yand ends withT?Rep: Good enough.
Now I do something like diceware instead.
Hahaha π
I feel like, this will happen to me soon.
Most/all ISPs have had to deal with Challenge-Handshake Authentication Protocol, which requires both sides to know what the password is, not just have something that can be computed from the correct password. It doesn't make the "our security is amazing" comment valid, but does explain why plaintext passwords exist.