Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security (vice.com)

Posted by BeauHD on from the shocking-admissions dept.

T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.

42 of 71 comments (clear)

  1. Why? by Roger+W+Moore · · Score: 2

    Why would you store the first four characters of every password? Obviously, it is a serious security hole but what possible use is having four letters of a password for the company itself?

    1. Re:Why? by 93+Escort+Wagon · · Score: 2

      Probably as a "hint" they can provide to the customers who call and say "Help! I don't remember my password!" However that is an extremely stupid position to take.

      Also, this quote was mind-boggling:

      "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear"

      This person responded to a question regarding a demonstrably insecure practice basically with the tautological claim "it's not a insecure practice because we don't do insecure practices"?!

      --
      #DeleteChrome
    2. Re:Why? by ZorinLynx · · Score: 1

      This is definitely NOT a good reason to do this, but it's a possible explanation.

      Some password policies have a rule that says your password can't be too similar to your last few passwords. It's easy to determine if your new password is similar to the last one, because you just entered the last one to change it. But without saving part of the plaintext there's no way to know (if a good hash algorithm is used) if the new password is similar to one used two passwords ago.

      So maybe they're using to try to enforce a misguided password changing policy. Either way, it's a horrible idea.

      Note: If ANY site forces a password change and denies it because the new password is too similar to "a previous password" and it's NOT the old password you JUST entered to change, it means they're storing passwords in plaintext somewhere or using a reversible hash. Some sites will save several old hashes but this will only deny a password if it perfectly matches the previous one.

    3. Re: Why? by Anonymous Coward · · Score: 1

      So the rep can say...i see the first four letters of your password are "abcd", please confirm the rest for me so I can better assist you. ðY

    4. Re:Why? by Zontar+The+Mindless · · Score: 1

      Already tagged this story with famouslastwords.

      --
      Il n'y a pas de Planet B.
    5. Re:Why? by Calydor · · Score: 1

      So save the OLD, no longer valid password for future comparison purposes.

      Still a terrible idea (Oh hey, this one was 'sickofthis13', let's try 'sickofthis14') but better than keeping part of an active, valid password open for anyone to see.

      Imagine if you found out that Trump's password started with 'make*****************' ... what do you think the full password is?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    6. Re:Why? by alex3772 · · Score: 1

      They store it for authentication via telephone. If a customer calls them he has to authenticate himself by giving the call center operator the first four digits of the password.

    7. Re: Why? by TheRaven64 · · Score: 1

      His idea is that you start with the new password, unhashed. Then you permute it in various ways and hash it. If any of these permutations gives the old hash, then you reject it. If not, then you hash it, store it, and scrub memory very carefully to erase all copies of the permuted unhashed password.

      --
      I am TheRaven on Soylent News
  2. Nothing like painting a target on your back by slickwillie · · Score: 1

    I think some (Russian) crackers might take this as a challenge.

  3. That's outrageous by DigitAl56K · · Score: 1

    T-Mo have had problems with number hijacking/SIM-re-issue, malicious porting out of numbers to other networks, and now I find that they're storing passwords partially in plain text?

    What the actual F, T-Mobile?!

    1. Re:That's outrageous by DigitAl56K · · Score: 1

      Update: T-Mobile reps are denying storing them in plain text on Twitter so this may be a miscommunication gone out of hand.

    2. Re: That's outrageous by Type44Q · · Score: 1

      You pigeon fucker

      That just doesn't have the right ring to it, I'm afraid.

    3. Re: That's outrageous by retchdog · · Score: 1

      That just doesn't have the right ring to it, I'm afraid.

      hey, any cloaca will do in a pinch.

      --
      "They were pure niggers." – Noam Chomsky
  4. conference dedicated to passwords. by phantomfive · · Score: 1

    I feel like an entire conference dedicated to passwords is maybe a little too specialized. Apparently enough people disagree with me, though. I wonder what kind of research they are doing.

    --
    "First they came for the slanderers and i said nothing."
  5. That's not really how passwords are cracked by h33t+l4x0r · · Score: 2, Interesting

    knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest.

    Assuming the password database is leaked and someone wants to crack *just yours* I suppose they'll get it faster.
    But if you used a good password it won't happen for a long time and by then hopefully you will have been alerted to the leak.

    1. Re:That's not really how passwords are cracked by complete+loony · · Score: 1

      Lets assume your password is made up of random characters from the entire 90(ish) printable ascii characters. An 8 character password has a 1 in 10^15 chance of any guess being correct. A 4 character password is only 1 in 10^7.

      Chances are that your password doesn't use the entire character set, and probably contains a word to make it more memorable. So that the remainder of your password is partially predictable from the first four characters, which is even worse.

      Sure you'd probably have to hack the password cracker's code to work with these prefixes, but that shouldn't be too hard.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:That's not really how passwords are cracked by complete+loony · · Score: 1

      Reducing your password strength by 10^7 is huge. Even the most intensive brute force search will crack passwords 10 million times faster.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    3. Re:That's not really how passwords are cracked by Dutch+Gun · · Score: 1

      and by then hopefully you will have been alerted to the leak.

      Companies have been known to sit on this type of information for many months, sometimes even *years*, so I'm not sure that's something we can rely on.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:That's not really how passwords are cracked by AHuxley · · Score: 1

      Set a limit on the length of password actually used internally :) Let user type in a poem every time and have it accepted within the GUI.
      A small set of data in plain text just got the time needed way down if the actual used pw length is near the plain text.

      Add in years of discovered word lists and that time could go down more.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:That's not really how passwords are cracked by h33t+l4x0r · · Score: 1

      Except that it doesn't do that in most scenarios. It only does it if the data has been leaked and someone wants your password specifically out of the millions that were leaked.

    6. Re:That's not really how passwords are cracked by complete+loony · · Score: 1

      If passwords have been salted, every password must be attacked separately anyway.

      To put this in plain english, leaking 4 characters of the password might reduce the attack from something google couldn't do, even with all of their available CPU's, to something you can easily do on a single raspberry pi. That's the difference in computational complexity we're talking about here.

      Yes, obviously this requires a data leak, and breaking the "encryption" method on the stored password fragment. But that's why we hash passwords anyway.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  6. Front line reps clueless by cascadingstylesheet · · Score: 1

    Front line reps clueless, news at eleven. Maybe they use the first four for phone identity verification?

  7. "AT LEAST" part... by jtara · · Score: 4, Funny

    Reading between the lines, it sounds like they store the entire password in plain text.

    Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for http://mein.t-mobile.at/

    Now, it might be that the agent doesn't understand that passwords aren't normally stored in plain text. You don't "need" to store passwords in order for users to log-in with their password. But that's hard for non-technical people to understand.

    They had to go out of their way if they've stored the first four characters in plain text! They'd need an additional attribute in a database table just for that, and I just can't imagine this happening without every developer within shouting distance noticing and objecting. There would have to be a very good reason, and there would have to have been a great deal of discussion and justification.

    I would love to hear the "why" if this is actually the case.

    You don't need the password in plain-text to deal with lost passwords. You have a protocol for the customer to prove their identity, and then you provide a way to reset the password - whether directly by the customer or manually be a customer service rep.

    Please, every T-Mobile customer: please change your password RIGHT NOW to f*** + 12 random characters!

    1. Re:"AT LEAST" part... by Koutarou · · Score: 1

      For certain types of authentication you do need to store plaintext passwords - the traditional two types of logins used for dialups/pppoe are PAP and CHAP. PAP allows you to have password hashes on the auth server but transmits plaintext on the wire/air. Conversely CHAP hashes on the wire/air but requires the plaintext password to be available on the auth server due to the nature of the protocol. You choose your points of vulnerability.

    2. Re:"AT LEAST" part... by pD-brane · · Score: 2

      please change your password RIGHT NOW to f*** + 12 random characters!

      I don't understand. "T-Mobile" are not 12 random characters.

  8. Don't lots of sites do this? by mattventura · · Score: 1

    I sear every bank has some characters you can't use in a password and/or an unreasonably short maximum length, leading me to believe that there are far too many sites that either store in plaintext or have other glaring security flaws like not escaping user input.

    1. Re:Don't lots of sites do this? by phantomfive · · Score: 1

      Banks seem to favor "following the rules." Following the rules doesn't yield good security in software, because we haven't found the right rules yet. It's still a game of cat and mouse.

      "Following the rules" works for physical security, and accounting for thousand of other peoples' money, but we've had literally thousands of years to figure out what rules to follow in those cases. Following outdated rules in computer security is bad practice.

      --
      "First they came for the slanderers and i said nothing."
  9. It's so easy to do it right by Tinsoldier314 · · Score: 1

    It's weird, I mean, it's like 3 lines of C# (and probably many other languages) to convert a string to a secure Pbkdf2 hash. Add some bounds checking and other DB nonsense (for a whole separate DB column for the password parts presumably?) and their approach is even more complex to implement. I'm sure someone could do it all in one line, the point is it's not hard to do it right, it's not like they saved hundreds of man-hours. It's like no one even cared.

    1. Re:It's so easy to do it right by WaffleMonster · · Score: 1

      It's weird, I mean, it's like 3 lines of C# (and probably many other languages) to convert a string to a secure Pbkdf2 hash.

      Pbkdf2 is only as "secure" as the password it protects.

    2. Re:It's so easy to do it right by Tinsoldier314 · · Score: 1

      Well in this case Pbkdf2 would provide at least 10,000 to 50,000 times more protection than their approach for the same password.

    3. Re:It's so easy to do it right by WaffleMonster · · Score: 1

      Well in this case Pbkdf2 would provide at least 10,000 to 50,000 times more protection than their approach for the same password.

      So what?

    4. Re:It's so easy to do it right by Tinsoldier314 · · Score: 1

      So what?

      Not sure if you're trolling, unaware or making some sort of pedantic argument. Key stretching and adaptive hashing are considered best practice and here's a couple references to read up on including some from TFA. These solutions will partially mitigate the impact of weak passwords.

      http://plaintextoffenders.com/...
      https://codahale.com/how-to-sa...
      https://nakedsecurity.sophos.c...

  10. Re:bank "passwords" by jtara · · Score: 1

    It's not the same. And I wish they wouldn't call it a password.

    Many banks offer an additional level of protection, by allowing you to add a "password" to your account that you will be required to recite when contacting them by phone or doing business in an office.

    It has nothing to do with your online account password.

    Obviously, in order for the teller to verify it, they have to be able to see it.

    Maybe T-Mobile used the first 4 characters of your login password for this purpose. If they did, it is BIZARRE and stupid!

    You might argue that the "teller password" is an even worse practice. But this is supposed to be used only after they've already verified picture ID (at least in branch). On the phone, there still will be the usual verification steps before they ask for the password.

  11. Cant guess mine! by darkain · · Score: 1

    My first four letters are "pass"... And I bet you already guessed wrong what my 8-character password is! Its really "passmark", because I love benchmarking so much.

    1. Re:Cant guess mine! by novakyu · · Score: 1

      I might have believed you if you were an AC. But alas, you are not an AC and I can't believe you are that stupid.

  12. What's even worse by jetkust · · Score: 1

    Is that they force you to sign up to a pointless account in the first place. There's a phone number, device ID, and a sim card. Why is this necessary? I'm prepay, and everything was fine without the idiotic accounts.

  13. Interestingly enough by Kojow777 · · Score: 1

    T-Mobile doesn't see that as a problem because it has "amazingly good security."

    Only a few months ago T-Mobile's websites had a major security hole allowing hackers to access all kinds of information about users:

    https://www.engadget.com/2017/...

  14. Re:Uh oh by Z00L00K · · Score: 1

    T-Mobile is now a prime hacker target.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  15. But they've been hacked. A lot. by PeterGM · · Score: 1

    There have been a string of security screwups from T-Mobile. From severe bugs to straight up data theft.

    https://it.slashdot.org/story/18/02/23/2118227/critical-t-mobile-bug-allowed-hackers-to-hijack-users-accounts
    https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/

    A quick search for "T-Mobile data leak" provided numerous results to several instances. If this is their idea of "amazingly good" then yeah, I guess it is. After all "amazingly good" isn't exactly an empirical measure, it's sitting right in the middle of subjectivity. There are a lot of adjectives that are better than "amazingly" or "good", and maybe "amazingly good" is how they choose word the description of the their level of terrible security.

    --
    There are no stupid questions, just stupid people.
  16. T-Mobile security SUCKS!!! by Locke2005 · · Score: 2

    Despite giving them instructions that all orders should use the password I selected, T-Mobile allowed some tweaker that stole my phone info out of my car to call their phone payment system and make 11 approximately 11 dollar payments to my account, each with a different stolen credit card number, presumably to test the numbers and see if they had been deactivated yet. I immediately called T-Mobile to inform them there had been a mistake, and other people's money had been deposited to my account, and they should reverse the transactions. They're response? "We can't do anything about those transactions until the card owner complains to us, and we can't even tell you any information about the accounts used for the payments because of privacy!" Seriously??? Of course, as the card holders noticed the fraudulent transactions, T-Mobile started fining me $35 for each transaction that didn't go through, then insisted that all payments be made IN CASH in person at a T-Mobile store since they couldn't trust me after all those payments I made didn't go through! That was after their customer support insisted the problem was with my bank and I needed to clear it up with my bank despite my repeatedly telling him none of the bad transactions were made from my account. He then made a note on my account saying "customer refused to cooperate" and hung up on me. So I switched to AT&T.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:T-Mobile security SUCKS!!! by Locke2005 · · Score: 1

      Yeah, that was another incident, when one of my credit card companies posted an unauthorized charge. "The charge was for a product delivered to an address on the east coast, but we can't tell you what address it was delivered too." Uh... you wan't me to pay for something, but you can't give me any details about the order? Sure, protecting yourself from liability when somebody decided to take justice into their own hands is more important that helping fix the problem of credit card fraud. (For the record, they _might_ release the information to law enforcement, but in my experience law enforcement isn't willing to expend any time or energy investigating. Like when thieves broke into my motorhome, I call up police and said, "When are you going to come out and investigate, they left the tool they used to break in and probably left fingerprints." and there response was, "Why would we want to do that? We gave you a report number to give your insurance company, now leave us alone!" In other words, since I didn't have theft insurance, reporting the crime to the San Jose police department was pointless, they had more important things to do than investigate the theft of somebody's luggage and CD collection.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
  17. A fix by joemck · · Score: 1

    Now that we know they store the first 4 characters in plaintext, we can work around this easily enough. Simply put 1234 at the start of whatever password you want to use, and you'll have the same security as you would without the idiocy or the 1234.