RE: Comcast storing WiFi passwords in cleartext?

[Benjamin Sisco <bsisco () justassociates com>]

On 4/24/ 2019 10:34 AM, Seth Mattinen wrote:

> That's looking at it from a technical perspective when it isn't a technical problem. People that buy "includes wifi" 
> from their ISP often need extreme amounts of help with it, and thus the wifi credentials are stored and transmitted 
> in plain text for tech support reasons.

While I agree that the underlying need is to provide fast and effective customer service - it is ultimately a technical 
problem.  As it's been pointed out in subsequent posts WiFi is the leading cause of customer calls to an ISP offering 
the service.  Security and "ease of use" are often at odds with each other, and implementing the former with the latter 
is the challenge many of us wake up to each and every day.  The information should be encrypted at rest and in transit 
and could easily be decrypted by the CSP platform for use by customer support staff at the time of need when cusetomers 
call in - which would address the concern.

In my experience, bad practice is easily replicated.  What else is transmitted in cleartext?  Today it's the WiFi 
password, tomorrow it's your login, port forwarding, DMZ, and other details that are far more useful to a remote 
attacker than your WiFi password.




-----Original Message-----
From: NANOG <nanog-bounces () nanog org> On Behalf Of Seth Mattinen
Sent: Wednesday, April 24, 2019 10:34 AM
To: nanog () nanog org
Subject: Re: Comcast storing WiFi passwords in cleartext?

Notice: This message originated outside of Just Associates. Verify the source & exercise caution with links and 
attachments.

On 4/24/19 8:13 AM, Benjamin Sisco wrote:
> The bigger concern should be the cleartext portion of the subject.  There’s ZERO reason to store or transmit any 
> credentials (login, service, keys, etc.), in any location, in an unencrypted fashion regardless of their perceived 
> value or purpose.  Unless you like risk.


That's looking at it from a technical perspective when it isn't a technical problem. People that buy "includes wifi" 
from their ISP often need extreme amounts of help with it, and thus the wifi credentials are stored and transmitted in 
plain text for tech support reasons.

~Seth
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privi­leged 
information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby 
notified that you have received this communication in error and that any review, disclosure, dissemination, 
distribution or copying of it or its contents is prohibited. If you have received this communica­tion in error, please 
notify me immediately by replying to this message and deleting it from your computer. Thank you.