Debian 8 still stores WIFI passwords in plain text.

Posted: August 4, 2015. At: 12:01 PM. This was 2 years ago. Post ID: 8298
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

The /etc/NetworkManager/system-connections directory in Debian and Ubuntu stores files that are named after the WIFI networks you have connected to. These contain the passwords for the wireless networks that your machine has connected to.

Here is a sample file.

[connection]
id=detportal
uuid=539c7711-95ba-4f0a-8797-33d32ec779d7
type=802-11-wireless
 
[802-11-wireless]
ssid=detportal
mode=infrastructure
security=802-11-wireless-security
 
[802-11-wireless-security]
key-mgmt=wpa-psk
psk=detportal
 
[ipv4]
method=auto
 
[ipv6]
method=auto
ip6-privacy=2

The user of a machine does need to be root to access these files, but any user with sudo access is allowed to cat these files and read the passwords. This needs to be fixed. Maybe, the connections should be stored in the home folder of the user that is making the connection and obfuscated somehow, maybe by hashing it. Windows 7 stores passwords for WIFI as a hash. This is more secure. Network Manager could do the same thing. This would improve the security of Linux when using Network Manager.

No comments have been made. Use this form to start the conversation :)

Leave a Reply