« Smerity.com

T-Mobile Educational Material on Plaintext Passwords and Computer Security

Forewarning: This is a parody article. Wathing the debacle unfold literally reminded me of a fake exam question in computer and network security - so let's treat it like that!

Recently T-Mobile Austria launched an innovative campaign to educate the average Joe and Jane on modern computer security, focusing on plaintext passwords but including many other concepts in the expanded scope. Like the Burger King bullying ad, they temporarily embarrass themselves and their company in an effort to educate a broad audience.

This is not the first instance of T-Mobile producing this type of educational campaign. In early 2016, T-Mobile CEO John Legere highlighted the impressive work and independent nature of the Electronic Frontier Foundation (EFF), the leading nonprofit defending digital privacy, free speech, and innovation, by shouting in a short tweeted video "Who the f**k are you, and who pays you?".

Remember when reading below, the T-Mobile Education Team are purposefully making T-Mobile appear incompetent. No tech company, large or small, would ever be so unaware of computer security as to store passwords in plaintext.

Wait ... the password policy is what now?

The elaborate stunt started with an innocuous password validation issue that surely T-Mobile artificially construed.

As you well know, password strength is generally proportional to three things:

  • The length and number of possible tokens (i.e. [a-zA-Z0-9] is stronger than [a-z])
  • Ensuring unique passwords by usage of password managers
  • Avoiding security questions which generally use readily available information

In one fell swoop, T-Mobile highlighted all three issues.

This would already be a good introduction to password security in and of itself - but the T-Mobile Educational Team aim for excellence, not mediocrity.

Murder on the Plaintext Express

After the relatively quiet start, a shocking revelation shakes our cast: the calls are coming from inside the house the passwords are stored in plaintext! ◉_◉

As we're all aware, plaintext passwords are a Bad Idea™. Why? The T-Mobile Educational Team help explain below!

Passwords as combination locks - way less effective if you know part of it

Even in an optimal world where the rest of the password is properly stored (i.e. hashed, salted, grilled, ...), knowing the first four characters of a password is still a Bad Idea™. In the T-Mobile Educational team example, knowing the first four characters of the password effectively reduces the password length by - surprise - four characters. The average length of a password is only 9.6 characters - meaning that (in this totally hypothetical scenario that would never take place in reality) almost half of a password's length is revealed by storing this information, even if the rest of the system is secure.

Imagine a padlock with a combination code. To guess the correct four digit code is nearly impossible for a human. Cut down that to a two digit code and it'll take you a few minutes at most. Passwords have the exact same issue. Their strength increases exponentially.

Passwords are frequently re-used

Users aren't good with passwords. The majority of users re-use passwords across multiple websites. As such, when a password is leaked - such as what would happen if a password were stored in plaintext - this leak can compromise other services for that user across the internet. T-Mobile highlights this by pretending the average user, such as Grandpa Joe or Grandma Julie, are actually aware of the potential dangers of this.

No company's security is perfect

Optimism isn't a strategy that works in computer security. Computer security has been described by some (= just me) as akin to hiking across a mine field. Whilst wearing skis. Near an active volcano. Whilst being chased by an Internet-of-Things enabled Furby. Which happens to have laser eyes.

In summary, computer security isn't easy. A single mistake of any size anywhere by anyone is enough for the walls of your kingdom to crumble into dust.

As such, the best tactic is for a company to act under the assumption that their information may already have been accessed. The simplest tactic for a company to do is to hash and salt passwords, which substantially complicate the re-use of passwords by bad actors on other sites.

To really drive this point home, a likely fake user created by the T-Mobile Educational Team highlights recent data breaches which potentially exposed the data of 76 million T-Mobile customers.

By being so flippant about it, and then pointing out their past folly, T-Mobile successfully highlights that security isn't a guarantee.

Bonus points: ad hominem attacks don't increase security

Whilst it may take a computer security professional to actually secure your system, we can all take part in security by pointing out problematic security practices. Many of the tenets of computer security don't change when it's being applied to telecommunication companies, social networks, your friend's soon-to-be-mainstream live streaming website for armadillos, or the Yo app. The principles remain the same.

As such, the T-Mobile Educational Team wanted to highlight that any user can be part of Team Security. They also ensured that the random Twitter user would not be too injured by their savage artificial ad hominem by providing them the best retort ever.

Bonus points: security disclosures in the computer security community

The last point is a complex one and I'm impressed the T-Mobile Educational Team decided to tackle it. When security researchers find an exploit, what are they meant to do? Tell the users who are impacted by it? Tell the company who might be able to fix it? Sell the exploit to a foreign nation which promises it only wants to listen in on bedroom conversations to better tailor their line of adult toys to very specific target markets?

Most security researchers attempt to work with companies in a positive manner. Sadly some companies can be mean and sue the security researchers or claim they're bribing them into fixing the product. Yes. Literally.

In this exchange, someone noting that "no-one can guarantee perfect security" is interpreted as a threat.

Is this some kind of warning? is the correct question to ask. Yes, it is. If you attack people who try to do the right thing, or security researchers that do free work in helping make your product more resilient, it acts as a foreshadowing. In the future the only people who will worry about your security are your own flawed internal security teams and potentially black hat hackers who aren't going to tell you about vulnerabilities on Twitter.

As highlighted in the response, talented engineers and employees won't work for companies that keep having and implementing Bad Ideas™ that will eventually hurt their userbase.

Conclusion: unbelievable but impressive production

Whilst the plot is unbelievable, the execution was flawless. In 2018, decades into the digital revolution, it is simply not a reasonable plot for a large corporation to be unaware of the dangers of plaintext passwords, or for the CEO of a major telecommunications company to attack a non-profit that is known for its dedication to privacy and free speech.

With that in mind, this was truly an epic stage play, touching many fragmented areas of the computer and network security sphere, performed on a public stage in front of millions of onlookers.

I can't wait to see what the T-Mobile Educational Team tries next!

Thanks to: Paul L McCord Jr for their T-Mobile graphic.