Debian 8 still stores WIFI passwords in plain text.

The /etc/NetworkManager/system-connections directory in Debian and Ubuntu stores files that are named after the WIFI networks you have connected to. These contain the passwords for the wireless networks that your machine has connected to.

Here is a sample file.

[connection]
id=detportal
uuid=539c7711-95ba-4f0a-8797-33d32ec779d7
type=802-11-wireless
 
[802-11-wireless]
ssid=detportal
mode=infrastructure
security=802-11-wireless-security
 
[802-11-wireless-security]
key-mgmt=wpa-psk
psk=detportal
 
[ipv4]
method=auto
 
[ipv6]
method=auto
ip6-privacy=2

The user of a machine does need to be root to access these files, but any user with sudo access is allowed to cat these files and read the passwords. This needs to be fixed. Maybe, the connections should be stored in the home folder of the user that is making the connection and obfuscated somehow, maybe by hashing it. Windows 7 stores passwords for WIFI as a hash. This is more secure. Network Manager could do the same thing. This would improve the security of Linux when using Network Manager.

No comments have been made. Use this form to start the conversation :)

Leave a Reply