Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
THE MOBILE PHONE operator Three has bought O2′s Irish operation from Telefonica for around €850 million, it has been announced this morning.
The sale has been announced by the Spanish mobile giant Telefonica, which owned O2, which said that it has sold the operation to the Irish subsidiary of Hutchison Whampoa, Three.
The deal means that O2 will no longer exist with Robert Finnegan, CEO of Three Ireland, telling Newstalk’s Breakfast programme that the O2 branding will disappear once the deal is complete.
The sale is subject to competition approvals at an EU level with €780 million paid up front and a further €70 million dependent on the achievement of “agreed financial objectives” according to Telefonica.
The sale means that Three and O2 combined will control around 37.5 per cent of the Irish mobile phone network and will have around two million active users.
To embed this post, copy the code below on your site
Who the hell is Ronan Murphy? Why not get someone who actually knows about security to comment? Ireland has a relatively large and knowledgable infosec community who could give good advice, unlike Mr. Murphy who doesn’t know what he is talking about.
First, storing a password as md5 hash is not much better than plaintext. Md5 is broken and trivial to crack. Passwords should at minimum be hashed using sha256 (preferably sha512) then salted with a random value, then hashed again. That is a minimum.
Secondly, md5 is not encryption. It is hashing. Hashes are used for verification and retains none of the original information.
Was going to say the same thing. Can’t believe that somebody in 2013 is still recommending using an MD5 hash, especially when they appear to think it’s an encryption algorithm.
// sheesh
I just had a look at his profile. It seems he’s the CEO of an MSP. I wonder why he didn’t get one of his engineers to comment? His comment doesn’t inspire much confidence in his company as a security provider.
Better go cash in my 1 billion worth of prize bonds… oh wait, that was a dream :-(
Limited budget resources is no excuse. They just need a line of code to hash new passwords and another line to hash passwords when logging in. Then prepare a script to convert all previous passwords. I could almost do that for free.
How do you know that’s not happening but with reversable encryption
Your not supposed to encrypt passwords. You’re supposed to hash them. Hashing is not reversible. Encryption is.
I don’t, but if they are they shouldn’t. Nevertheless the solution is much the same except with two extra steps, remove the encryption code and decrypt all existing passwords before hashing them.
And yes, it is bad design, because regardless what they’re doing behind the scenes, being able to return a users existing password is an indication that the password is easily accessible. They are not using md5 and dehashing it as that requires brute forcing it, even if they were I’d be enclined to fire the developer for eating up all the server resources for that.
All it requires is one other careless overlook on security, such as an sql injection weakness, and bingo, anyone who can write sql can get all the user passwords because they weren’t hashed.
Oop I didn’t even know I had a password?? I thought I just got a letter in the post if I won ………
This article is absolute load of horseshite. The fact that they email you your password is simply bad design and easily remedied by simply sending a reset link.
However it does not mean that it is stored in plain text. To check that your password is correct it has to be compared to the origional.
Also md5 can be decrypted back to the original. Or maybe they store they have a master encryption key.
Journalist shouldnt write this waffle…..
iT IS POSSIBLE to hack every website…….
Btw md5 is not random
So are you saying that people are not getting their passwords sent by email? never mind the if’s and but’s and what should be done because we know that already, the article points out that our pals at the National Treasury Management Agency don’t know so maybe you should help them out.
@Rehabmeerkat, the point of using salted hashes is that the backend code compares hashes to validate passwords, rather than comparing candidate passwords with the original password. Neither can MD5 “be decrypted back to the original”. Instead, it’s possible, with some work, to find message text which hashes to the same MD5 hash value which is equivalent if the backend code is comparing hashes. Finally, it’s unclear what you mean when you say “they store they have a master encryption key” since MD5 is a hashing algorithm which does not use keys, rather than an encryption algorithm which does (or, are you referring to storing passwords enciphered under a master key, rather than hashing them and comparing hashes? If so, that’s still lousy security practice).
MD5 can be reversed via rainbow tables, check http://md5decryptor.co.uk to see it
That’s technically not reversed. Theoretically there is an infinite number of collisions and you are just finding one by brute force. But when talking about hashed passwords generally the first result is the password.
Yet the Bank Guarantee letters weren’t stored in plain text, …. Or were they….
@NickyRyan_ Thanks for this insightful (although a bit scary) article!
I have to confirm unfortunately that the fact that passwords have been sent via email does mean that they’re stored in plain text or equivalent (maybe encrypted with the key stored not far from there).
Usually, as Robin Hilliard mentioned, instead of comparing passwords, systems should compare “hashes” obtained from these passwords, using a complex hash function. MD5 which is mentioned shouldn’t be used in that case as it can be easily reversed using rainbow tables. The way this works is fairly easy to understand: for millions of passwords, the MD5 result is pre-calculted and stored in a big table (called rainbow table). Then, it’s only a matter of looking up the MD5 result to derive the password.
The proper way to secure these passwords will be to use salted hash: that means that each password in hashed using a unique “salt”.
It’s not to late to burn these Bondholders.
have your say