Over at self.li, Peter Legierski has a horrifying post about password cluelessness. The tl;dr is that fon, described as the “world’s largest Wi-Fi Network” keeps its passwords as plain text. Legierski knows this because when he forgot his password and clicked on the appropriate link, they sent it to him in an email.
We’ve discussed this sort of thing many times before here at Irreal. Even putting aside the massive fail that is sending a password via email in the clear, the storing of passwords as plain text is just not acceptable. They absolutely must be salted and hashed to have even a modicum of security. Fon is a community with over 4 million users each of whom makes his WiFi router available to members so that every member always has access to free WiFi wherever they travel. How many of those 4 million users do you think reuse their passwords? What would be the consequences of the disclosure of that information?
As I said, we’ve discussed all this before so there wouldn’t be much reason to beat the remains of that particular horse except for the comments to Legierski’s post. The amount of cluelessness displayed (at full volume) is extraordinary. Many commenters said that perhaps the passwords were held in an encrypted database, which would make it OK. Others thought that you can “decrypt” a hash with a rainbow table and recover the password. Some appeared not to have heard about SSL/TLS. If you’re interested in this sort of thing, you really should follow the link and read the comments.
Sadly, this cluelessness appears to be endemic. One of the commenters, Igal Tabachnik, notes that the storing of passwords as plain text is so widespread that he started a Web site, Plain Text Offenders, to document and shame the offenders. The comments to Legierski’s post show that many users, even nominally technical ones, don’t have a clue about the proper handling of passwords. Tabachnik’s site shows that many programmers and IT people don’t either.