Security problems at T-Mobile Austria (Passwords stored in plain text)

Entschuldigung für Englisch

T-Mobile Austria saves the customer’s passwords in plaintext, and they don’t see it as a problem. I therefore recommend to avoid this ISP…

T-Mobile US does not store in plaintext:

I don’t know about other branches of the company.


Diese Twitter Person hatte keine Ahnung wovon sie redet glaub ich. Gibt auch nen Standard Artikel darüber: https://derstandard.at/2000077499940/T-Mobileat-prahlt-mit-amazing-security-wird-weltweit-zur-Lachnummer

Soweit es ausschaut, speichern sie die ersten 4 Buchstaben in Plain-Text aber das ganze Passwort ist immer noch verschlüsselt.
bob macht auch fast das gleiche wahrscheinlich, da man das Passwort dem Kundensupport am Handy sagen muss um sich zu authorisieren (und Passwort kann man auch nur per Kundensupport ändernlassen).

edit: It seems you only speak English. Use Google Translate some online translator to understand what I have written :smiley:


@z3ntu @JeroenH
As a service oriented person with a few free minutes at hand, I will try a translation:
It seems, that twitter-perosn doesn’t have a clue. There’s an article on it in the austrian daily “Der Standard

Edit: Thx @Ingo for the hint. I just reformatted the paragraphs, to enhance the fact, that it’s just a translation.

I know this is just translating the article and not your personal view. Just to not confuse anyone :wink:

On the matter of encryption: the article speculates what “encrypted” actually means. It could very well mean all passwords are encrypted with the same key. Which then would still not be state of the art security. Given the additional security problems that other people found on the T-Mobile Austria pages.


And about what I wrote about bob. I found the following text in the bob “questions and answers”:

So security is a very high priority for bob obviously :wink:


Ehh, thanks for the translation but I understand basic German quite well (it is an easy language, coming from native Dutch). My experience is that if I write/speak in German it is going to piss off German speaking people :smiley: so feel free to use either German or English w/me here.

This doesn’t prove they don’t save the password plaintext; it rather suggests they don’t have save the password plaintext. I mean, the customer support basically has privileged access (write support) for passwords. If they have write support, they could have read support. It does not tell us how the passwords are saved.

This certainly does not prove they don’t save the password plaintext.

Furthermore, they didn’t deny the allegation about storing plaintext passwords:

This is just damage control from a higher up in the chain (very broad language), but at least that CS rep is going to get reprimanded.

But if you have to tell them the password, they will have to have it in cleartext otherwise they cannot compare it (without entering it correctly with upper and lowercase which they don’t)

If you tell them the password, you need to figure out if they use it as input to compare. A compare between audio and visual without reproducing is a sign of plaintext saving. Signs which give clues: a compare with keyboard takes longer, and you might hear the CS rep using their keyboard. There’s voice recognition but that’s unlikely.

We don’t know if they save the password lower- or uppercase. OpenVMS stores passwords case insensitive if PWDMIX is disabled.

As for 8 characters, lol. Are they still using NIS/YP?

1 Like

Oh, c’mon, plain text things —even short— violates password security. And the requirement of a password from THREE characters to EIGHT is just… :man_facepalming::woman_facepalming:
(If you don’t know why, just check this blog post from the Discourse —this forum software— founder.)


This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.