Stories
Slash Boxes
Comments

SoylentNews is people

At What Point Does Storing Passwords in Plaintext Become Criminally Negligent

posted by Fnord666 on Sunday April 08 2018, @02:07PM   Printer-friendly
from the easier-to-check-that-way dept.

An Anonymous Coward writes:

https://www.privateinternetaccess.com/blog/2018/04/another-day-another-breach-at-what-point-does-storing-passwords-in-plaintext-become-criminally-negligent/

The third largest breach ever just happened in Finland. Passwords were stored in plaintext. At T-Mobile Austria, they explain that of course they store the password in plaintext, but they have so good security so it's nothing to worry about. At what point does this become criminally negligent?

Original Submission

 
This discussion has been archived. No new comments can be posted.
At What Point Does Storing Passwords in Plaintext Become Criminally Negligent | Log In/Create an Account | Top | 138 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by canopic jug on Sunday April 08 2018, @03:03PM (3 children)

    by canopic jug (3949) Subscriber Badge on Sunday April 08 2018, @03:03PM (#663950) Journal

    A historian would be able to better answer the question of how many decades it has been established as best practice to use a salted hash for passwords. Regardless of the details the answer will be in decades, and there is no excuse for any manager to sign off on such failed designs as we are seeing in the news.

    Apparently a crypt(3) function first appeared in Version 7 AT&T UNIX [freebsd.org], but if I read correctly it was symmetric. It's been at least since 1995 when Paul-Henning Kamp worked up md5crypt() [freebsd.dk], which is long since replaced and getting close to 25 years ago already.

    Sufficiently advanced incompetence is indistinguishable from malice.

    --
    Money is not free speech. Elections should not be auctions.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2, Insightful) by Anonymous Coward on Sunday April 08 2018, @03:27PM (1 child)

    by Anonymous Coward on Sunday April 08 2018, @03:27PM (#663962)

    > Sufficiently advanced incompetence is indistinguishable from malice.

    Well, in case of incompetence, "advanced" is probably not the right word. What's the opposite of "advanced"? "Retarded"? Yes, that one works on multiple levels.

    Sufficiently retarded incompetence is indistinguishable from malice.

    • (Score: 4, Funny) by Azuma Hazuki on Sunday April 08 2018, @03:34PM

      by Azuma Hazuki (5086) on Sunday April 08 2018, @03:34PM (#663966) Journal

      Yyyyyup. I've been saying this for years now, usually phrasing it as "Hanlon's Razor loses its edge when there's enough incompetence."

      --
      I am "that girl" your mother warned you about...

  • (Score: 2) by choose another one on Sunday April 08 2018, @04:19PM

    by choose another one (515) Subscriber Badge on Sunday April 08 2018, @04:19PM (#663977)

    > A historian would be able to better answer the question of how many decades it has been established as best practice to use a salted hash for passwords.

    And how do partial password implementations (which is, I think, standard in some form on all of the banking sites I use) work with your "best practice"?

    It all depends where you think the weakest point in the security actually is, sometimes the weakest link is the client or the customer, client-side malware, phishing or plain old shoulder surfing may be a much larger risk (and far more difficult for a bank, say, to control and secure) than server-side password storage. Partial password implementations reduce client-side risks. Incompetence?