Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security (vice.com)

Posted by BeauHD on from the shocking-admissions dept.

T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.

1 of 71 comments (clear)

  1. "AT LEAST" part... by jtara · · Score: 4, Funny

    Reading between the lines, it sounds like they store the entire password in plain text.

    Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for http://mein.t-mobile.at/

    Now, it might be that the agent doesn't understand that passwords aren't normally stored in plain text. You don't "need" to store passwords in order for users to log-in with their password. But that's hard for non-technical people to understand.

    They had to go out of their way if they've stored the first four characters in plain text! They'd need an additional attribute in a database table just for that, and I just can't imagine this happening without every developer within shouting distance noticing and objecting. There would have to be a very good reason, and there would have to have been a great deal of discussion and justification.

    I would love to hear the "why" if this is actually the case.

    You don't need the password in plain-text to deal with lost passwords. You have a protocol for the customer to prove their identity, and then you provide a way to reset the password - whether directly by the customer or manually be a customer service rep.

    Please, every T-Mobile customer: please change your password RIGHT NOW to f*** + 12 random characters!