Meta fined $101M for storing passwords in plaintext(therecord.media) |
Meta fined $101M for storing passwords in plaintext(therecord.media) |
Meta fined $102M for storing passwords in plain text - https://news.ycombinator.com/item?id=41678840 - Sept 2024 (119 comments)
Meta pays the price for storing passwords in plaintext - https://news.ycombinator.com/item?id=41677465 - Sept 2024 (6 comments)
Meta pays the price for storing passwords in plaintext - https://news.ycombinator.com/item?id=41674082 - Sept 2024 (7 comments)
EU privacy regulator fines Meta 91M euros over password storage - https://news.ycombinator.com/item?id=41669912 - Sept 2024 (38 comments)
Super easy mistake to make.
Also surely someone noticed before they had to be fined, yikes
Because people will constantly enter their passwords in the wrong places, that's why. Classic Unix systems administrators always found passwords logged as usernames. Or in shell history files. Or on typescript transcripts.
Facebook's forms are no different, and all it takes is a moment of inattention, type into the wrong field, an accidental copy-paste, or an overzealous password manager, and how many millions of users will eventually send in their passwords?
The truly marvelous technical feat would be to devise a way to stop this. Essentially, you couldn't. It's a complex issue. Not negligence.
On a relevant note, how is this fine amount determined? Were there any damages?
I wonder how much of a fine Ireland would have levied on an Irish company in similar circumstances.
More discussion: https://news.ycombinator.com/item?id=41669912
the american gov is spending billions upon billions to defend the eu and they have the gall to nitpick & set 7 to 9 fig fines using %revenue (extortion) on their companies, which are btw providing valuable services (for free) to eu citizens. beyond ridiculous, especially with no sensible cap on the fines.
all the gdpr has done is make the web more miserable, someone from the usgov should give a call to the data protection office or wtv to remind them of their actual importance in the grand scheme of things.
and this is ignoring the damage they're doing to their own tech ecosystem with this over-regulation.
The profit Meta et al make just appears out of thin air. It's so kind of these companies to use the income they get from their money trees to altruistically provide free services to anyone.
Jokes aside: The cost may be hidden, but you're still the one who pays.
For those in the US? Perhaps, at least if we only look at the direct impact.
In the EU it made all sorts of privacy abuse that's completely standard and accepted in the US (credit agencies, payroll companies, etc. etc. sharing all sorts of information with anyone who asks/pays in addition to online tracking) legally impossible.
So while you can still authenticate as the user to say facebook you can't login to their linkedin account. Assuming, facebook and linkedin don't use the same client side salt.
You could hash them again before they hit db, but then your not really pre-hashing the passwords clientside. And if you want to change your hashing algorithm or parameters, users can't login until they update their clients.
There is no advantage if you use proper security practices like storing a hash and salt.
But, by not sending the actual user-entered password, it prevents me from logging the user-entered password in plaintext.
If I did make a mistake and logged the users email and "Y", and I got hacked, the hacker could not take the email and "Y" and try to log into a variety of other online services using the same credentials. This is the credential stuffing I was speaking of.
Whoever created the login system probably is a different person than who added the logging system. Perhaps the logging system should've discarded login attempts or masked the credentials but there's probably a dozen ways to login and they'd need to know all of them and possible futurely added ones.
It seems a bit more practical to have the system send a safer version of a parameter to the server instead.