Google Storing WLAN Passwords In the Clear

First time accepted submitter husemann writes "Micah Lee from the EFF filed a bug report about Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them. So far it's not known whether the passwords are stored encrypted at rest, but just the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely. Already one German university is concerned enough about this 'feature' that they issued a warning to their users."

Apple iOS

[EkriirkE]

While not storing cleartext, they do store your WiFi passwords in a reversible encryption. If using WPA I think they should just store the ssid:phrase hash instead of keeping the phrase. WEP can't be helped... Anyhow, Apple stores all passwords in their keychain and this is easily snooped. Jailbroken iOS devices can get "WiFiPass" to reveal all the AP & passwords its ever connected to. It's handy when I pass my device to an AP owner to "privately" enter their password but I want to associate more devices, I just load that program and see what it was and do it myself.

Re:So what?

[Zalbik]

How does this in any way matter? even if the password _were_ encrypted, it's reverseable encryption -- it _has_ to be. So they could just decrypt it, anyway.

Wrong. It could be encrypted with a key that only the user knew. With proper key choices Google would have no way of decrypting

I know some people like to believe that if Google, the NSA, the Chinese or some other group really really wanted to, they could decrypt any encrypted information, even without the password.

This is false. It is still infeasible for anyone to crack Triple DES info encrypted with a reasonable choice of keys.