Linux Distributions Storing Wi-Fi Passwords In Plain Text

Bill Dimm writes "An article on Softpedia claims that Linux distributions using NetworkManager are storing Wi-Fi passwords in plain text in /etc by default. The article recommends encrypting the full disk or removing NetworkManager and using a different tool like netctl. Some of the article comments claim the article is FUD. Is this a real problem?"

Re:KNetworkManager

[TheCarp]

I mostly agree, especially about it being a non-story.

Part of the issue, I think, is conflating a wifi password with other passwords. A wifi password has several properties that set it apart from others.

For one thing, it is usually shared between devices, even ones used by different people (lets ignore advanced schemes, if you are setting up some manner of authentication none of this applies).

Secondly, it is only useful within a small geographic location. A website or email password can be used by someone half the world away. A wifi password is only useful within range of your particular access point.

Thirdly, the exposure is mostly limited. While its true that someone could drive up to your AP and start transmitting child porn, and that could lead to some serious consequences; the real abuses here are only attractive to a limited audience and not something generally useful or generally financially useful.... it doesn't give them access to your accounts, even your email downloads are likely encrypted to him.

Overall, exploiting this is more work than it is worth much of the time, and if it wasn't, it isn't like it is impossible to add more controls. If you really are paranoid, you can always drop wifi devices onto their own segment that can only talk to a VPN endpoint....shit then you can run the wifi passwordless and use the VPN for protection.

In any case, this is 99.9% a non-issue.