Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Storing WLAN Passwords In the Clear

Posted by timothy on from the memory-tricks dept.

First time accepted submitter husemann writes "Micah Lee from the EFF filed a bug report about Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them. So far it's not known whether the passwords are stored encrypted at rest, but just the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely. Already one German university is concerned enough about this 'feature' that they issued a warning to their users."

3 of 242 comments (clear)

  1. Too much trust by Linux+User+33 · · Score: 5, Insightful

    I think this is perfect example again that we put too much trust on Google. They have repeatly broken that trust and yet some people continue to trust them. This data also goes directly to NSA and FBI. I think both FCC and European Commission should hit them hard, upto jailing the top executives.

  2. This is why I turned off backup by DigitAl56K · · Score: 5, Insightful

    I turned off Backup on Android after discovering this. They're going to have to store them in the clear (or I guess reversible), so that the "backup" is reversible - i.e. you recover your backup or add a new phone to your account and it "just works" with your wifi.

    However, there's no in-between. I can't choose to backup certain things but exclude very sensitive things, like my wifi password and other credentials. Given what we know about government snooping and the constant notices of breached databases these days, I just don't want to use the backup feature at all, and anyone who does is taking a bit of a gamble IMO.

    Can't we have a sub-option to "also include credentials", at the very least?

    1. Re:This is why I turned off backup by DigitAl56K · · Score: 5, Insightful

      But, I gotta ask ... if we don't trust Microsoft and Google, who is left?

      I am fine with trusting Microsoft and Google, and indeed anyone with a reliable infrastructure, to provide a backup hosting service that significantly improves the experience with my phone in the event of a disaster. I'm just not fine with entrusting them with access to the contents of those backups, especially when I may not even be aware of or have granular control over what is in them.

      A backup passphrase that only I know, and restricting processing to the client-side, would be sufficient to achieve this.