T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security

T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.

Why?

[Roger+W+Moore]

Why would you store the first four characters of every password? Obviously, it is a serious security hole but what possible use is having four letters of a password for the company itself?

Re:Why?

[93+Escort+Wagon]

Probably as a "hint" they can provide to the customers who call and say "Help! I don't remember my password!" However that is an extremely stupid position to take.

Also, this quote was mind-boggling:

"I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear"

This person responded to a question regarding a demonstrably insecure practice basically with the tautological claim "it's not a insecure practice because we don't do insecure practices"?!

That's not really how passwords are cracked

[h33t+l4x0r]

knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest.

Assuming the password database is leaked and someone wants to crack *just yours* I suppose they'll get it faster.
But if you used a good password it won't happen for a long time and by then hopefully you will have been alerted to the leak.

"AT LEAST" part...

[jtara]

Reading between the lines, it sounds like they store the entire password in plain text.

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for http://mein.t-mobile.at/

Now, it might be that the agent doesn't understand that passwords aren't normally stored in plain text. You don't "need" to store passwords in order for users to log-in with their password. But that's hard for non-technical people to understand.

They had to go out of their way if they've stored the first four characters in plain text! They'd need an additional attribute in a database table just for that, and I just can't imagine this happening without every developer within shouting distance noticing and objecting. There would have to be a very good reason, and there would have to have been a great deal of discussion and justification.

I would love to hear the "why" if this is actually the case.

You don't need the password in plain-text to deal with lost passwords. You have a protocol for the customer to prove their identity, and then you provide a way to reset the password - whether directly by the customer or manually be a customer service rep.

Please, every T-Mobile customer: please change your password RIGHT NOW to f*** + 12 random characters!

Re:"AT LEAST" part...

[pD-brane]

please change your password RIGHT NOW to f*** + 12 random characters!

I don't understand. "T-Mobile" are not 12 random characters.

T-Mobile security SUCKS!!!

[Locke2005]

Despite giving them instructions that all orders should use the password I selected, T-Mobile allowed some tweaker that stole my phone info out of my car to call their phone payment system and make 11 approximately 11 dollar payments to my account, each with a different stolen credit card number, presumably to test the numbers and see if they had been deactivated yet. I immediately called T-Mobile to inform them there had been a mistake, and other people's money had been deposited to my account, and they should reverse the transactions. They're response? "We can't do anything about those transactions until the card owner complains to us, and we can't even tell you any information about the accounts used for the payments because of privacy!" Seriously??? Of course, as the card holders noticed the fraudulent transactions, T-Mobile started fining me $35 for each transaction that didn't go through, then insisted that all payments be made IN CASH in person at a T-Mobile store since they couldn't trust me after all those payments I made didn't go through! That was after their customer support insisted the problem was with my bank and I needed to clear it up with my bank despite my repeatedly telling him none of the bad transactions were made from my account. He then made a note on my account saying "customer refused to cooperate" and hung up on me. So I switched to AT&T.