Yeah and whoever designed that system needs to be fired. 40 years ago you could maybe call it a reasonable mistake (although it wasn’t really acceptable even back then), but these days anyone storing plaintext passwords anywhere is bordering on criminal negligence. Unless you have a damned good reason passwords should be hashed, but at a minimum at least encrypted with something reasonably secure.
I’m comfortable with boot having a either a plaintext key or two key halves to XOR together, used to unlock the base OS. I honestly don’t trust a TPM to store this, and as long as the OS is designed to guard the key from all but root, I don’t see any security issue.
If it was anyone hired by the current administration to be the security software engineer, I’d imagine it being someone severely under qualified with some kind of reality TV, media background who probably only mentioned “I stayed at a Holiday Inn last night…” when asked if they had any security authentication background. The interviewer probably just got a grand kick out of that response and after an intense belly laugh said, “Fuck it, you’re hired!”
Are we gonna gloss over the fact that the EEOC was storing plaintext passwords? Fucking incompetent
Yeah and whoever designed that system needs to be fired. 40 years ago you could maybe call it a reasonable mistake (although it wasn’t really acceptable even back then), but these days anyone storing plaintext passwords anywhere is bordering on criminal negligence. Unless you have a damned good reason passwords should be hashed, but at a minimum at least encrypted with something reasonably secure.
I would argue that there is no such thing as a good reason to store plain text passwords.
They are not saying that you should have a good reason to store plain text, but to have a good reason not to hash, but only to encrypt.
I’m comfortable with boot having a either a plaintext key or two key halves to XOR together, used to unlock the base OS. I honestly don’t trust a TPM to store this, and as long as the OS is designed to guard the key from all but root, I don’t see any security issue.
Salt it, hash it, put it in a stew.
admin123 is likely the password.
I’d like to say that nobody cared about security even 25 years ago, but in government, they have ALWAYS cared about security.
25 years ago I was still programming in php and I was salting my passwords before hashing even back then.
If it was anyone hired by the current administration to be the security software engineer, I’d imagine it being someone severely under qualified with some kind of reality TV, media background who probably only mentioned “I stayed at a Holiday Inn last night…” when asked if they had any security authentication background. The interviewer probably just got a grand kick out of that response and after an intense belly laugh said, “Fuck it, you’re hired!”