Password Security at Fon
Published by MartinVarsavsky.net in Fon with No Comments
Recently, there has been speculation regarding the security of Fon passwords. Here at Fon, we take security very seriously and we keep all of our customers’ information securely stored at all times.
Firstly, Fon does not hold the password of all of the users in the database. In fact, many of our users who are part of the Fon community through one of our telco partners, have their passwords stored by our partners (their ISP or mobile operator). When this is the case, Fon has no access to the passwords at all, as they are not stored in Fon’s database.
Additionally, the passwords that Fon does manage are divided into numerous systems and platforms that do not share the same database or structure.
Rest assured that Fon does manage its passwords in a secure way. In keeping with industry best practice, we are aware that storing hashes or digests of passwords is considered better than encrypting them. Therefore, Fon has identified this possible improvement some time ago, and has already applied this change to some of its user types. Other users are being migrated gradually. This is by no means a security issue, as regardless of how the information is kept, it is kept safe.
If you have any questions or concerns regarding your password safety, please feel free to contact our customer care team for further information about Fon’s password safety. To further increase your internet safety, we recommend that you always have a different password for each website or online service that you subscribe to.
Follow Martin Varsavsky on Twitter: twitter.com/martinvars
Leave a Comment
You must be logged in to post a comment.
JB on January 23, 2012 ·
Hmmmm, Martin, it is true that hashing passwords is safer than encrypting them *IF* you use same key to encrypt all of them in your database (trivial: anyone that could know the key will know all the passwords).
Both encrypting and hashing have different purposes (=typically when you encrypt is because at some point you want to decrypt) and even though for password validation purposes a simple hashing does it work, I wouldn’t say it is *safer* than encryption (with the above remark about chosen keys). For that purpose, it will depend on the hash function chosen vs encryption method (hash functions MD5 and SHA128 were broken some time ago) and more important: the protocol chosen -by protocol I mean all the steps you take to complete your procedure (like not using same key for all encryptions, or that you compare the two tokens hashed or encrypted instead of decrypt the stored one, etc.-
So, in few words, if you are currently storing the passwords encrypted all with the same key, yes, please, change the security protocol.