World's Largest Wi-Fi Network Keeps Passwords in Plain Text

Have you ever heard about FON Community? I will be surprised if your answer is "no". It's world's largest Wi-Fi network with over 4 million users, as they claim on their website. The idea behind it is pretty simple - you agree to share a fraction of your Wi-Fi signal with the community and in exchange you can access any other Wi-Fi router in the community - with over 4 million users in the network around the world it gives you a pretty good alternative to internet cafe's/hotel internet if you're travelling or want to work from park on a nice sunny day.

Check out their coverage map, it's pretty impressive, at least in UK: http://maps.fon.com/

Ok, ok, why are you telling me all this?

I'm a member of FON Community myself and recently was trying to log into my account, without luck. I used "Forgotten password" option that is available on pretty much any website that stores users' credentials. I typed my email address and was expecting to receive an email with randomly generated string as my new password. What I found in my mailbox instead?

It was my old password in plain text! I love the network and use it quite often, but still can't believe that they keep passwords of 4 million of their users in format that can be easily accessed in (or decrypted to) plain text - something I would expect from a complete amateurs that never gave a single thought to password protection. Shame on you, FON.

I urge you to change your password

if you're also a member of FON Community. We've read enough about websites that keep passwords in plain text. It's yet another reason to generate unique credentials to each web service we use and store them in some safe place, like 1Password or change the way we're accessing them, eg. using QR codes.

This post is on Hacker News and Reddit. Join discussion: Hacker News link Reddit link

If you read this far, you should follow me on Twitter.

World’s Largest Wi-Fi Network Doesn't Keep Passwords in Plain Text Anymore - or does it?

It's a continuation of a story from a few months ago; FON, claiming to be world's largest Wi-Fi network, also committed the largest crime against password protection: keeping passwords in plain text / reversible form and sending them in plain text via email, if you used 'forgotten password' feature.

Looks like FON doesn't keep passwords in plain text anymore, or (which is unfortunately more likely) just changed the way how "forgotten password" feature works. Either case, FON is not going to send you your old password in an email, if you happen to forget it.

It's great to see a progress in this space, but would be even better to get a reply from FON: 

@fon I see you send reset links instead of plain text passes now, but what about passwords on your servers? Still plain text/reversible?

— Peter Legierski (@PeterLegierski) August 16, 2012

You can also read: How to understand half of Harry Potter book in any given language How to increase productivity per square inch of your screen Logging in with QR codes