- electricprism ( @electricprism@lemmy.ml ) 1•4 minutes ago
Google did it too for a decade
- HiddenLayer555 ( @HiddenLayer555@lemmy.ml ) English9•5 hours ago
Does anyone remember an article/interview a while back where Mark Fuckerberg shamelessly admitted that he chose not to hash passwords in the original Facebook codebase specifically because he wanted to be able to log into his users’ other accounts that use the same password? I swear I remember reading something like this but now I can’t find it.
- fl42v ( @fl42v@lemmy.ml ) 19•6 hours ago
instead of in an encrypted format on its internal systems.
Riiight, like that’s any better. Jokes aside, it’s hard to imagine what kind of “mistake” results in storing plain text instead of hashing, unless the mistake was in choosing whoever made the security assessment
- BearOfaTime ( @BearOfaTime@lemm.ee ) 4•5 hours ago
Christ, the hell I would’ve gotten, in the 90’s, if I’d done something like this.
- masterspace ( @masterspace@lemmy.ca ) English9•6 hours ago
There was a previous article on this with more explanation that I’m struggling to find.
The gist was that they do hash all passwords stored, the problem was that there was a mistake made with the internal tool they use to do that hashing which led to the passwords inadvertently going into some log system.
- BearOfaTime ( @BearOfaTime@lemm.ee ) 1•5 hours ago
“mistake”
I call BS. The reviews I’ve gone through for trivial stuff would’ve exposed this.
This was intentional.
- moody ( @moody@lemmings.world ) 1•2 hours ago
A mistake doesn’t mean it’s an accident. A mistake means they made the wrong choice.
- HiddenLayer555 ( @HiddenLayer555@lemmy.ml ) English5•4 hours ago
Hanlon’s Razor revised: Never attribute to malice what can be attributed to incompetence, except where there is an established pattern of malice.
- fl42v ( @fl42v@lemmy.ml ) 1•6 hours ago
Makes sense now, thank you
- cron ( @cron@feddit.org ) 7•6 hours ago
This is not about facebook not hashing credentials, it is that they appeared in internal logs.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
Source: Krebs on Security
- HiddenLayer555 ( @HiddenLayer555@lemmy.ml ) English2•4 hours ago
that logged unencrypted password data
Why the fuck would you need to log a password ever? This is absolutely malice and not incompetence.
- bjorney ( @bjorney@lemmy.ca ) 3•3 hours ago
You are acting like someone checked off a “log passwords” box, as if that’s a thing that even exists
Someone configured a logger to write HTTP bodies and headers, not realizing they needed to build a custom handler to iterate through every body and header anonymizing any fields that may plausibly contain sensitive information. It’s something that literally every dev has done at some point before they knew better.
- cron ( @cron@feddit.org ) 2•3 hours ago
Just one open source example … freeradius has an option to log passwords:
log { destination = files auth = no auth_badpass = no auth_goodpass = no }
Or another example: The apache web server has a module that dumps all POST data, with passwords, in plain text:
mod_dumpio
allows for the logging of all input received by Apache and/or all output sent by Apache to be logged (dumped) to the error.log file. The data logging is done right after SSL decoding (for input) and right before SSL encoding (for output). As can be expected, this can produce extreme volumes of data, and should only be used when debugging problems.I don’t agree that this is “absolutely malice”, it could also be stupidity and forgetfulness.
- GolfNovemberUniform ( @GolfNovemberUniform@lemmy.ml ) 3•6 hours ago
Any kind of encryption requires storing the key in plain text. Still nice to see Meta being fined though.