The worst thing that can happen here is that somebody connects to your wifi. If someone can read your email and is in the vicinity to connect to your wifi, the least of your problems is that he or she does connect to your wifi.
Also, as pointed out by others, this doesn't mean it's stored in plain text. Any time you set a password it travels in plain text (typically - and hopefully - via a secure connection) and it arrives to their server in plain text. You are never sure they are immediately storing it properly encrypted in a DB. They can also be doing things like sending it in emails or storing it elsewhere. If you cannot trust your password to whoever is storing it you are basically f*ed. BTW, what do you think they might do whenever you enter the wrong password in the wrong site? (for instance, your email password).
Garbage. The problem is not the transport-layer security. Transport-layer attacks are very difficult to implement. What is risky is what happens when someone gets access to the database and does "SELECT * FROM user". This is a very realistic threat, and with properly hashed passwords, gives an attacker no useful information. With plain-text passwords, though, they now have carte blanche to try the credentials at other sites, and steal someone's entire identities.
Yes, it's bad if you use the same password everywhere. Yes, it's bad if someone man-in-the-middles you. Yes, it's bad that arbitrary web users can run arbitrary database queries. But the point of robust engineering is to protect a system from many failures. If your passwords are stored in cleartext, your system is less safe overall than one that stores the passwords hashed. And because it's so easy to hash passwords, and because it's so damaging to your users to leak their password, it's generally considered Pretty Fucking Incompetent to keep passwords around in cleartext.
Unwarranted paranoia... Any time you set a password it travels in plain text (typically - and hopefully - via a secure connection) and it arrives to their server in plain text.
This is true, but data in motion is less vulnerable to compromise than data at rest (due to how the Internet works and how web applications are programmed), and so the conclusion "unwarranted paranoia" is wrong. The paranoia is warranted.
The main points from my point of view, and the reasons I think this is unwarranted paranoia:
- not a critical resource : if your email is compromised, the importance of that makes this insignificant. It's also a local resource, cannot be exploited from afar.
- just because they email it to you doesn't mean it's in plain text. It can be symmetrically encrypted, or (not in this case) it can be sent prior to storage.
Not all accounts require draconian password policies. In fact, the abuse of these requirements encourage users to make really bad decisions regarding passwords, like reusing them or having them stored in a central repository.
If someone can execute a "SELECT * FROM user" query, it's highly likely that they can also intercept login form responses to retrieve plain text passwords.
Not true in practice. The select statement is often tacked on to some other database query. To intercept login form responses would require the ability to run "real code" rather than just ask the database things.
The reality is that most programmers do not call eval("code from the user") but they often call sql_query("code from the user").
The worst thing that can happen here is that somebody connects to your wifi.
Unless a negligible amount of the 4 million users accidentally reused the password for other services as well. Which probably makes 3.9 million victims.
Also, as pointed out by others, this doesn't mean it's stored in plain text.
That does not matter much. If FON can extract it, an attacker can extract it as well, thus rendering it insecure.
That would be accurate if the article did not state that he used the "Forgotten password" feature to recover his password. Also, sending a password unencrypted over email even before database storage is just as concerning. What if I fat-fingered my email address?
That's right. In this case they have it in a recoverable format somewhere (symmetric encryption is not as useless as many seem to think). Thanks for pointing it out, I thing I skimmed that part this morning.
However, it is still just your wifi connection which has to be locally accessed still and not ultra-secret password. IMO the policy is not problematic and it can save you the need to write it down somewhere, which for a local-only resource might be a worse alternative.
> The worst thing that can happen here is that somebody connects to your wifi.
No, the worst thing that can happen is that someone you trust uses the same password for this service and their google account, then the attacker who hates you uses their latitude access to find where your kids are and kidnaps them for money.
Sorry... went to far. A more sane version is: someone uses the same password for their {online retailer} account. Attacker uses that to login and buy themselves a $X000 present using your saved CC details.
The worst thing that can happen here is that somebody connects to your wifi. If someone can read your email and is in the vicinity to connect to your wifi, the least of your problems is that he or she does connect to your wifi.
Also, as pointed out by others, this doesn't mean it's stored in plain text. Any time you set a password it travels in plain text (typically - and hopefully - via a secure connection) and it arrives to their server in plain text. You are never sure they are immediately storing it properly encrypted in a DB. They can also be doing things like sending it in emails or storing it elsewhere. If you cannot trust your password to whoever is storing it you are basically f*ed. BTW, what do you think they might do whenever you enter the wrong password in the wrong site? (for instance, your email password).