DEV Community

loading...

Discussion on: What are the worst security practices you've ever witnessed?

Collapse
rapidnerd profile image
George Marr

A global phone service provider once had themselves called out on twitter for storing passwords in plaintext, one of their support reps replied with "What if we don't need to hash/salt the passwords because our security is that amazing?" 24 hours later someone found an XSS vulnerability in their login page.

Collapse
ben profile image
Ben Halpern Author

"What if we don't need to hash/salt the passwords because our security is that amazing?"

Ooof that is brutal

Collapse
philnash profile image
Phil Nash

Never take the security opinion of the poor social media manager that is just trying to deal with a deeply technical security question (to them at least) seriously.

I feel bad for the employee who answered this. They are not supposed to have intimate knowledge of security practices and taking their word at face value is demeaning to the security industry.

This doesn't make T-Mobile's practices any better, but it's best not to pile on the wrong person about it.

Collapse
stephanie profile image
Stephanie Handsteiner

That was T-Mobile, the Austrian branch to be precise, but it led to a chain of asking T-Mobile branches in other countries if they do the same, even made its way to DTAG (the parent company in Germany).

This was really awful, especially considering the reaction from their marketing guys on twitter.

Collapse
charlesdlandau profile image
Charles Landau

I remember this! This was the thread obviously the offending party deleted their tweets though

Collapse
ben profile image
Ben Halpern Author

How are they not even case sensitive? You'd almost certainly have to do extra work to make them not case sensitive?

Makes sense if employees have to read them over the phone, but sheeeesh. So brutal all around!

Thread Thread
charlesdlandau profile image
Charles Landau

Cruft driven development: it's case insensitive somewhere in our insane mess of tools and systems, therefore make it case insensitive in this instance for compatibility.

AKA "I don't have time to clean up my disaster of a living room therefore I can't pick up this pizza box."

Thread Thread
tvanantwerp profile image
Tom VanAntwerp

I used to use 32-character alphanumeric random strings as answers to secret questions...until I had to read one over the phone.

Rep: Ok, so what street did you grow up on?
Me: Hold on, let me check the random answer in my password manager...
Password manager: ytuu^QoGZc5JQZ4BW3TuvH&w#jLlm%6T
Me: Fuck!
Rep (seeing the same thing on his end): laughter
Me: What if I just tell you it starts with y and ends with T?
Rep: Good enough.

Now I do something like diceware instead.

Thread Thread
areahints profile image
Areahints

Hahaha ๐Ÿ˜‚

I feel like, this will happen to me soon.

Collapse
mitchpommers profile image
Mitch Pomery (he/him)

Most/all ISPs have had to deal with Challenge-Handshake Authentication Protocol, which requires both sides to know what the password is, not just have something that can be computed from the correct password. It doesn't make the "our security is amazing" comment valid, but does explain why plaintext passwords exist.