[HN Gopher] Major Toronto Utility Company Stores Customers' Pass...
___________________________________________________________________
Major Toronto Utility Company Stores Customers' Passwords in Plain
Text
Author : oneturkmen
Score : 37 points
Date : 2024-09-23 21:48 UTC (1 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| 486sx33 wrote:
| This is bad for anyone who recycles passwords. Most everyone I
| guess.
|
| I'm sure they aren't the only company to do so
|
| I don't think having an online account with your utility provider
| is required or smart. Good old postal mail is the way.
| pinkmuffinere wrote:
| Paying by checks through the mail is so annoying and difficult
| to stay on top of. I can't understand how you would prefer that
| approach in general -- is there some strategy here that I'm
| missing? Or is it that you open mail always immediately when
| you receive it, and minimize changes in address / vacations?
|
| My strategy is to have a "disposable" password that you use for
| low-value purposes, like paying utilities. I assume this
| password is public knowledge, and accept that if somebody has
| it they can do such nefarious things as... pay my utilities
| bill.
| mikestew wrote:
| My guess as to what OP means: postal mail, as in, mail me my
| bill. And then pay electronically through your bank, not the
| company's online portal. At least that's the way I do it.
| fragmede wrote:
| Do you really want to bank on your utility to have their shit
| figured out so you don't pay the utility bill for your whole
| town? Even if you do entirely get it resolved, that seems
| like extra hassle when you could just... use a password
| manager.
| pinkmuffinere wrote:
| That's fair, a password manager would be a good (and likely
| better) alternative. The only reasons I haven't made the
| switch:
|
| 1. Even password managers are unreliable, and I don't like
| the idea of storing _all_ my passwords with a single
| service which may be hacked. I suppose I could just store a
| subset of my passwords, but that eliminates a lot of the
| convenience
|
| 2. Even at its most convenient, I still find password
| managers somewhat annoying. Copy-pasting is disabled on
| many login forms, so I often would have to manually type an
| unfamiliar password. And when I'm not using my personal
| laptop I have to "log in twice" to complete a single
| intended login - this has historically been fairly common
| for me, though maybe less common recently
| vouaobrasil wrote:
| Great. Now all I need is someone to hack my account and pay my
| electricity bill for me.
| deathanatos wrote:
| I think the vector I'd be more worried about here is that
| someone does a database dump of usernames & passwords, and then
| proceeds to use that data for credential stuffing. The hygenie
| of users being on average probably "not great", that would
| probably lead to subsequent compromise down the line, of things
| more valuable than the electric company's account.
|
| But, IDK, if they're storing passwords in the clear --
| something so trivial to get right, and so obviously not best
| practice -- I'd also be wondering if the user's bank account
| routing & account numbers aren't in that same database
| table...? I can imagine some damage from that.
| thrill wrote:
| This should be a criminal offense at this point.
| hooverd wrote:
| Who are you prosecuting?
| gleenn wrote:
| I believe they're suggesting the people storing the plaintext
| passwords. Who else would it be?
| hooverd wrote:
| I guess there's no one person to hold accountable. They
| probably just get a small fine and move on.
| cs702 wrote:
| The thing is probably running on decades-old code that makes
| common security practices (like storing only salted hashes of
| passwords) hard.
|
| I wouldn't be surprised if there's code in there written in old-
| style mainframe COBOL or even (gasp) RPG.
|
| Sigh.
| CamelCaseName wrote:
| Toronto Hydro isn't just "a major utility company"
|
| It is entirely government owned and the largest electricity
| provider in the province.
| ojbyrne wrote:
| [delayed]
| ckcheng wrote:
| There was this alleged Alberta AHS privacy breach:
|
| https://old.reddit.com/r/alberta/comments/1c7lk3z/ahs_privac...
|
| Don't know if that went anywhere... anyone know?
| Me000 wrote:
| Why is this a big deal? Hiring a contractor is 100% more insecure
| than this. I'm not recommending you do it, but it's basically
| just people celebrating they now how to do this, but it's
| actually never been exploited once in human history. Yet big
| brain security people trust contractors to write code and nobody
| bats an eye.
| er4hn wrote:
| This is an attack called "credential stuffing" and the OWASP
| page for it has multiple examples of it being used in the real
| world: https://owasp.org/www-
| community/attacks/Credential_stuffing .
| hooverd wrote:
| I wonder if they in-housed this or paid some external contractor
| obscene amounts of money for it?
| iinnPP wrote:
| This is a misunderstanding. The CS agent has access to a
| plaintext (security question) password that can be used under
| special circumstances. It must be readable to function.
| Ladyady wrote:
| Nice try, Toronto Hydro
| iinnPP wrote:
| I made no such claim. I merely have knowledge of the exact
| system in question.
| hooverd wrote:
| Which really should not be the same!
___________________________________________________________________
(page generated 2024-09-23 23:00 UTC)