Clarifying Password Security at Fon

By FON | Published January 3, 2012

Recently, there has been speculation regarding the security of Fon passwords. Here at Fon, we take security very seriously and we keep all of our customers’ information securely stored at all times.

Firstly, Fon does not hold the password of all of the users in the database. In fact, many of our users who are part of the Fon community through one of our telco partners, have their passwords stored by our partners (their ISP or mobile operator). When this is the case, Fon has no access to the passwords at all, as they are not stored in Fon’s database.

Additionally, the passwords that Fon does manage are divided into numerous systems and platforms that do not share the same database or structure.

Rest assured that Fon does manage its passwords in a secure way. In keeping with industry best practice, we are aware that storing hashes or digests of passwords is considered better than encrypting them. Therefore, Fon has identified this possible improvement some time ago, and has already applied this change to some of its user types. Other users are being migrated gradually. This is by no means a security issue, as regardless of how the information is kept, it is kept safe.

If you have any questions or concerns regarding your password safety, please feel free to contact our customer care team for further information about Fon’s password safety. To further increase your internet safety, we recommend that you always have a different password for each website or online service that you subscribe to.

Bookmark and Share
Clarifying Password Security at Fon. This entry was posted in Fon and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

4 Comments

  1. Steve
    Posted January 4, 2012 at 7:22 am | Permalink

    “Additionally, the passwords that Fon does manage are divided into numerous systems and platforms that do not share the same database or structure”

    So? There are still stored. Unencrypted!

    “Rest assured that Fon does manage its passwords in a secure way.”

    No! As we can see FON does not. To store passwords unencrypted in clear text is NOT a secure way and against all known best standards.

    “we are aware that storing hashes or digests of passwords is considered better than encrypting them”

    WTF? FON does NOT use hashes, digest and does NOT encrypt. So comparing two ways of securely handling passwords but not using both – sounds quite misleading.

    “Fon has identified this possible improvement some time ago, and has already applied this change to some of its user types. Other users are being migrated gradually”

    Ah, now we are talking: Yes, this should be done much earlier. And I have no idea why this takes so long – migrating a few million passwords should take less than a day – if planned properly.

    An apology and a clear timeframe for the migration would have been much more credible. This looks like an awkward excuse…

  2. Wes
    Posted January 4, 2012 at 2:19 pm | Permalink

    In keeping with industry best practice, we are aware that storing hashes or digests of passwords is considered better than encrypting them.

    if you use hashes or digests you ARE encrypting them

  3. Dan
    Posted January 5, 2012 at 11:36 am | Permalink

    At no point in the article did Fon say they are not encrypting passwords, they acknowledged they could be using one-way hashes and are working on migrating their systems to do so, but it is clear they are not storing them in plain text.

    From reading this in a level headed way, it is clear they are using something along the lines of Blowfish encryption – where the passwords are decrypt-able but not plain text, nor easily breakable without the encryption key. It may not be the *most* secure way possible, but it is secure.

  4. Steas
    Posted January 13, 2012 at 3:06 pm | Permalink

    The title suggests that after reading, one would have a clearer understanding of how password security is handled at FON. Not so.

    - Are any passwords stored in plain text?
    - What proportion of passwords are stored in (a) plaintext, (b) encrypted, (c) not stored but hash/digest is
    - Is there a minimum standard that Fon partners must implement? If yes, what is it? If no, why the hell not?
    - When exactly did the “Store the hash only” project begin and, when will it be complete?

2 Trackbacks

  1. By Fon responde que não armazena senhas de forma insegura | Tecnoblog on January 4, 2012 at 1:54 pm

    [...] Depois da confusão causada ontem, a comunidade para compartilhamento de internet sem fio Fon veio a público esclarecer se usa ou não táticas inseguras para armazenar senhas de usuários. Uma representante da empresa no Brasil me mandou uma mensagem avisando que a Fon publicou uma resposta às críticas no blog oficial dela. [...]

  2. By Fon responde que não armazena senhas de forma insegura | Você Informado on January 4, 2012 at 2:01 pm

    [...] Depois da confusão causada ontem, a comunidade para compartilhamento de internet sem fio Fon veio a público esclarecer se usa ou não táticas inseguras para armazenar senhas de usuários. Uma representante da empresa no Brasil me mandou uma mensagem avisando que a Fon publicou uma resposta às críticas no blog oficial dela. [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>