[davedx]

No you can't assume that, someone in the reddit chat had a more reasonable explanation:

- password goes through filter check onSubmit and some flag is set on the account immediately, it's added to a queue, pw is hashed and stored

- "account moderation" worker picks up task from its gigantic queue of Chinese accounts that need some automated action taking on them, bans account, notifies user, does whatever else needs to be done when closing an account for a service like WeChat

Edit just to remark: a lot of people commenting on this thread are making some pretty big assumptions about both what apps do do and should do with passwords.

In my experience, you can more or less say this: most companies and applications in 2020 do hash passwords before storing them in the database.

Beyond that, all bets are off.

[Darvon]

What percentage of your networth would you bet that the Chinese government can't access WeChat passwords?

[luc4sdreyer]

What percentage of your networth would you bet that the Chinese government _can_ access WeChat passwords?

[umvi]

I'd bet it all. The CCP is like God within the borders of China. They have omnipotence and omniscience.

To be clear, I wouldn't bet it all that the passwords are stored in plaintext. But I would bet it all that the CCP has their own special key and/or backdoor access which allows them to continue having omnipotence and omniscience while keeping pesky foreign powers out.

[MiroF]

You'd bet it all that they're using some sort of invertible scheme to store passwords?

I doubt it. The CCP is bad, but it's also pretty rational. Doing this would just be dumb.

[strictnein]

I mean, I'd love to double my net worth, so 100%

[diabeetusman]

7%

[BluePen7]

After my initial laugh at your response, I realized 7% is about what I'd bet too.

My first foray into options trading I lost around 3% of my net worth, and I'd say I'm more than twice as confident about this than I was about that.

I'd evaluate the odds of the CCP doing something, to be in line with the odds of them benefiting from doing something, regardless of the expense/risk to their populace.

There's nothing I'd really put past them, we know for a fact they harvest organs from political dissidents, but we're skeptical on if they'd store passwords plaintext?

Given people tend to re-use passwords, I'd imagine having a massive trove of plaintext passwords for all Chinese citizens, or even anyone who communicates with them, would be incredibly useful.

Not to mention the fact that they have to maintain a list of anti-CCP passwords, which would be a tedious process, or they'd have to automate something to detect anti-CCP sentiment. I think an interesting experiment would be to see what less obvious anti-CCP passwords get you banned. With enough probing and data, I'd possibly increase my wager to 10%.

As a well known and outspoken critic of the CCP, she might be elevated to the status where they actually just have a person reading everything she types into WeChat 24/7. Do you think they fully staff the night shift, or would the ban have taken twice as long outside of Chinese business hours?

[solotronics]

I am a gambler and I think this is a sure bet so 10%

[ufmace]

Well it depends on what you mean. I'd say there's basically a 100% chance they can access your account. In a properly designed system for this, there would be a feature for allowing certain admin users to log in as an arbitrary user and access all of their information as them, without ever seeing or typing their password, so the actual password is kept secure and there are logs of which admin "ghosts" which user accounts when.

Would I bet that the Chinese Government has this properly implemented and can't access passwords once set? Yeah no way.

[thiht]

Why would they need it? Can't they just ask WeChat if they need anything? (Including privileged access bypassing any password)

[emsy]

The flaw in your reasoning is that you apply western standards of what consists of reasonable behavior.

[cryptonector]

At the very least passwords that raise that flag get saved.

Just in terms of security policies this is nuts.

Inspecting the political contents of passwords is nuts and tyranny.

Inspecting the contents of passwords at all is nuts and spectacularly bad.

[pbhjpbhj]

Well it's wrong, and stupid under my Worldview .. but from the point of a fascist dictatorship I can see how it seems reasonable. Catch people who think they're doing something hidden and who appear to have disdain for the state machine.

Like choosing business associates based on their politics, just at a larger scale.

[TimothyBJacobs]

> Inspecting the contents of passwords at all is nuts and spectacularly bad.

Evaluating a passwords' strength or complexity is incredibly routine.

[cryptonector]

That's not the same. This is deferred, and looking specifically for banned content.

[AtHeartEngineer]

Occam's razor says this is not the answer

[Shivetya]

that the password passes through any filter check other than refusal for being insufficient in strength should be a red flag to anyone. that any site would flag passwords for review should be the last flag you ever need to know to not trust the site.