nanog mailing list archives
Re: Comcast storing WiFi passwords in cleartext?
From: William Herrin <bill () herrin us>
Date: Wed, 24 Apr 2019 17:04:22 -0700
On Wed, Apr 24, 2019 at 9:10 AM Benjamin Sisco <bsisco () justassociates com> wrote:
There’s ZERO reason to store or transmit any credentials (login,
service, keys, etc.),
in any location, in an unencrypted fashion regardless of their perceived
value or
purpose. Unless you like risk.
Risk is threat times vulnerability times impact. No impact, no risk. For example, if the credentials for my grocery store loyalty card are compromised, I do not actually care. It has no impact. Hence failing to encrypt the card number as it transits the store network or sits in their database carries no risk. There can be, on the other hand, substantial costs associated with using encryption. Key management infrastructure. Manpower. Business risk: loss of the keys becomes loss of the data. Mistakes yield service outages that impair business operations. Forgot to renew that key? Gotta close the store until the IT guy gets here because the cash registers don't work. These costs tie to the use of encryption regardless of the risk it mitigates. I take no position on what risk the comcast wifi passwords issue carries. I'm posting only to point out that an absolutist model which says, "stuff of type X must always be encrypted," is probably not well tuned to the customer's actual security needs. The generally accepted principle is that if you spend more money mitigating the risk than the attributable cost of the risk then you're doing it wrong. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- Re: Comcast storing WiFi passwords in cleartext?, (continued)
- Re: Comcast storing WiFi passwords in cleartext? Saku Ytti (Apr 26)
- Re: Comcast storing WiFi passwords in cleartext? Rich Kulawiec (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? James R Cutler (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Mike Bolitho (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Töma Gavrichenkov (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Valdis Klētnieks (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Töma Gavrichenkov (Apr 26)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Valdis Klētnieks (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Mike Bolitho (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Royce Williams (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Stephen Satchell (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Töma Gavrichenkov (Apr 26)
- Re: Comcast storing WiFi passwords in cleartext? Rich Kulawiec (Apr 26)
- Re: Comcast storing WiFi passwords in cleartext? Töma Gavrichenkov (Apr 26)