T-Mobile Austria is OK with Storing Passwords Partly in Clear Text

T-Mobile Austria is raising eyebrows over how the company has been storing customer passwords: information technology's been doing so partially in articulate text.

How the access came about is even more jarring. T-Mobile Republic of austria's official Twitter account casually tweeted about it on Midweek, adding: "I really do not get why this is a problem."

The stunning exchange began when a Twitter user named Claudia Pellegrino raised the effect with T-Mobile Republic of austria. The visitor tweeted back, saying: "The customer service agents come across the first four characters of your password."

T-Mobile Austria Twitter 1

This is bad. Granted the information is even so partially concealed, but exposing the first four characters to whatsoever password makes it all the more easy to judge.

T-Mobile Austria wasn't fazed by this concern. "We secure all data very advisedly, so in that location is not a thing to fearfulness," the company tweeted to Pellegrino.

What happens if T-Mobile Republic of austria experiences a breach, similar so many companies oftentimes practice? Nah, that won't happen; T-Mobile Austria has "amazingly good" security, the company said in another tweet.

T-Mobile Austria Twitter 2

On Fri, a T-Mobile Republic of austria spokesman confirmed that its customer service agents practice come across parts of the passwords for authentication purposes. Presumably, this occurs when a T-Mobile client talks to a service amanuensis over the phone.

"We are too using ane-fourth dimension-PINs for customer hallmark and are evaluating voice biometrics for a improve user feel," the spokesman said in an e-mail.

All the login information is also "safely stored in encrypted databases," he added. Withal, T-Mobile Austria's policy on passwords goes against established security practices.

Typically, companies only keep the "hash" of your password. This involves sending the password through an algorithm that scrambles the characters into what appears to be random text. In the event a breach occurs, the hackers volition simply exist able to steal the passwords in hashed class, which can make the looted login credentials difficult to crevice.

The adept news is that T-Mobile US isn't post-obit its counterpart'due south example. "T-Mobile Us customer care reps cannot see passwords, and passwords are not stored in plain text," the company said in an e-mail.