corporate infosec.jpg (birdsite)
@sophia I've met that guy. He's pretty rad. And smart.
And taught me a lot during his talk about image file forensics (iirc), and how much data remains. 🙃
@sophia Storing a password in clear is secure, as it's illegal to intrude in someone else's database.
To authenticate you over the phone they ask you three characters from your password, so call center employees can see the plain text passwords too.
@sophia after showing this to my wife, she shared this one from #TMobileAustria, from April 2018, with me: https://www.reddit.com/r/sysadmin/comments/8aem4n/tmobile_plaintext_password_data_breach_thought_to/
and from the same thread, also: https://twitter.com/hanno/status/982530027135922179
(Now I wonder/hope *they* have at least cleaned up their act by now)
@FiXato I remember this, we all gave them an absolute pasting over it
it's a shame the original reply from tmobileat is gone
If they'd posted an update with their new security precautions, it could've helped restore some trust in them; now I'm left to wonder if this ever actually got fixed, or if they still store #plainTextPasswords / two-way encrypted passwords, or if they actually switched to a hashed/salted approach.
sparkle sparkle, bitches