Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Tax Office Stores Passwords In Clear Text

Posted by Soulskill on from the you're-doing-it-wrong dept.

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

84 comments

  1. Ugh by systemidx · · Score: 0, Offtopic

    The slashvertisments are getting less and less subtle these days.

    1. Re:Ugh by Tarlus · · Score: 1

      Can't tell what's being Slashvertised here...

      --
      /* No Comment */
    2. Re:Ugh by Anonymous Coward · · Score: 0

      It's costcentral.com. They also use clear text passwords, and send you the password by email.

  2. Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 4, Insightful

    Storing passwords in readable text is a bad idea for a lot of reasons

    It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

    But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

    1. Re:Storing plaintext passwords should be illegal by characterZer0 · · Score: 4, Funny

      encrypting them with Bcrypt [wikipedia.org] or SHA-256

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      --
      Go green: turn off your refrigerator.
    2. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 1

      I thnk you mean "password" fields, not hidden. Hidden input fields are used to transmit all sorts of data, and rarely is it sensitive enough to warrant client-side encryption. They generally dont even carry data that was actually submitted by the user.

    3. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256.

      This would still allow attackers to log in as anyone they wanted if they got a dump of "plaintext" passwords - they would just send the hash instead.
      Bcrypt additionally includes a salt -- which is good for password storage, but means you can't compare two Bcrypt hashes to check whether they're the same password. The browser would need to use the same salt every time you logged in to a site.

      I think most users would be just as well served with a decent password manager.

    4. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      Yes, let's have the browser take care of the bcrypt step so that the website can write the result in plaintext and be fine! Brillant!!!

    5. Re:Storing plaintext passwords should be illegal by SirGarlon · · Score: 1

      It needs to be more than a bad idea: it needs to be illegal

      Yeah, because what we really need in IT are more compliance checklists and more lawyers and more absolute rules that never get revisited or updated.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    6. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 4, Interesting

      But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

      --
      /* No Comment */
    7. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      Maybe you were using the word "encrypting" loosely, but Bcrypt and SHA-256 don't do encryption.

    8. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 1

      Storing passwords in readable text is a bad idea for a lot of reasons

      It needs to be more than a bad idea: it needs to be illegal[.]

      My god son, you've just made possession of Post-It Notes into a felony.

    9. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      It doesn't matter at all about the hidden fields, just make it all SSL and all the fields are encrypted. What we need is to get rid of the password field and replace it with a PKI field, allowing websites to accept a public key to set the password, and users sign the websites token to perform a login. Get rid of the idea of a password for a site entirely, and don't rely on a third party. If you never give them a password you never have to worry about them storing one.

      The DoD already does this, though they use SSL to handle it (the SSL handshake supports it, so they just have their websites locked to SSL only with a PKI cert required which means you get a prompt trying to access the page), additionally the private key can be stored on a removable smart card which generates it's own certs used for signing from that, meaning your computer never receives a copy of the private key (thus it can't be copied off the system).

    10. Re:Storing plaintext passwords should be illegal by rminsk · · Score: 1

      ...browsers should not allow "hidden" fields to be transmitted directly, instead should have a default action of encrypting them with Bcrypt or SHA-256.

      So now I steal the database of hashes that the browser transmitted. Just as good as having the plaintext. Now all I need to do is send the hash.

    11. Re:Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 2

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      Of course there is. But that solves a different problem: a password will be encrypted in transmission, but is unencryped on the other end, so the server will still receive your form with plaintext passwords. By default, input fields of type "password" should be encrypted and only the encrytped password should be sent to the server. The server should have no access to the plaintext. They can't store what they don't have in the first place.

    12. Re:Storing plaintext passwords should be illegal by JDG1980 · · Score: 1

      Yeah, because what we really need in IT are more compliance checklists and more lawyers and more absolute rules that never get revisited or updated.

      Under what circumstances do you believe it is appropriate, or would be appropriate at any time in the future, for a website to store passwords in clear-text?

    13. Re:Storing plaintext passwords should be illegal by dkleinsc · · Score: 3, Insightful

      Yeah, because what we really need in IT are more compliance checklists

      Yes, we do, because it's abundantly clear that there are lots of IT organizations that can't meet the basic requirements of doing the job properly.

      and more lawyers

      Yes, to deal with the cases where IT organizations skimp or lie about meeting the requirements.

      and more absolute rules

      Yes, so they know when they're in compliance and when they aren't. For example, a rule that "No password may be stored in clear text." is quite absolute, and also appears to be quite necessary.

      If it weren't a financial system that everyone in Australia is required by law to use, I'd be fine with the standards being looser, because then the damage would be less.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    14. Re:Storing plaintext passwords should be illegal by blueg3 · · Score: 3, Informative

      But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

      This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.

      Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.

      If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!

    15. Re:Storing plaintext passwords should be illegal by Chris+Mattern · · Score: 4, Interesting

      The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

      "Where are your encrypted passwords?"
      "We use PKI keys, we don't have *any* passwords"
      "So you don't have any encrypted passwords?"
      "No, we don't need them."
      "Off to jail with you, then."

    16. Re:Storing plaintext passwords should be illegal by Bert64 · · Score: 2

      If you encrypt/hash the data before you send it then you no longer need the plaintext, the hash becomes the plaintext equivalent. Also any sensible passwd hashing algorithm will be salted, so you would need to leak the user's salt *before* they authenticate.

      While not illegal, many security guidelines (some of which are mandatory within certain circles) require that passwords be appropriately hashed etc... Windows generally doesn't comply with such guidelines (stores plaintext in memory, uses unsalted hash, allows hash to be used instead of plaintext) etc, so many such guidelines make special exception for windows... But anyone else has to comply, so clearly a ridiculous situation.

      So, anyone running windows is storing their user passwords in a plaintext equivalent form.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    17. Re:Storing plaintext passwords should be illegal by DickBreath · · Score: 1
      Yes, unencrypted passwords should be illegal. So use Rot-13.

      Seriously, there should probably be some minimum requirements for encryption.

      But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt [wikipedia.org] or SHA-256.

      Be careful that you can still work with older browsers. While browser improvements are great, they don't get deployed everywhere overnight. Another approach is to have some hidden fields that are part of the submitted form, and some that are not. Use Javascript to unscramble the received fields upon page load, and to re-scramble them prior to submitting back to the server. This approach may not work for general purpose websites open to the public, but works great for web based business applications where Javascript is already almost universally required.

      --

      I'll see your senator, and I'll raise you two judges.
    18. Re:Storing plaintext passwords should be illegal by characterZer0 · · Score: 1

      The user has no control over how the server hashes passwords. The user has a choice not to submit unencrypted data.

      Unless, of course, the government mandates it.

      --
      Go green: turn off your refrigerator.
    19. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      His non-working idea works in his mind, so give him a break. Everyone can do cryptography thanks to Dunning and Kruger. Then all you need for a +5 score is a catchy subject and 2 wikipedia links.

    20. Re:Storing plaintext passwords should be illegal by rtaylor · · Score: 1

      Indeed. The Hash is the plaintext password.

      Hashing a password only protects a users account on other websites when they're silly enough to use the same password on all websites.

      It also makes it damndably difficult to strengthen or change the hash if a problem is found. If you picked MD4, you're stuck with it forever.

      I don't know what the solution is but hashing the password in the DB has created as many problems as it solved for me.

      --
      Rod Taylor
    21. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      Digest authentication has solved this over a decade ago. And it actually is standard. However, no one uses it mostly because you can't log out using it. And IE had incompatible implementation that only worked with IIS. I don't know if this still is the case. However, It wouldn't require much from web browsers to add a special logout button that removes Basic Authentication as well as Digest Authentication states from sites that match the screen viewed at the time. The fact that it uses MD5 might be a problem but it would still be a lot more secure than what Australian Tax Office is doing.

      In Digest Authentication, you don't even store a password. You store a hash that is derived from a hash of your domain and has of the password. Therefore the hash is different for each domain as well. Also, password is never sent in plain-text anywhere. Not even over encrypted link. Therefore malicuous sites that collect passwords and try to use them on other sites don't get any or are easily identified as such sites. There are even methods to prevent reply attack so you can quite safely use it over regular unencrypted HTTP link as well. Of course, the security would be compromised in other ways if you did that.

    22. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 1

      Also, having a web browser submit a hashed password without SSL would do nothing to protect your account. It could still be intercepted and used by a malicious third party. They just wouldn't know right out in the open what the original password is.

      --
      /* No Comment */
    23. Re:Storing plaintext passwords should be illegal by tlhIngan · · Score: 1

      Storing passwords in readable text is a bad idea for a lot of reasons

      It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

      One of the problems I see is if they can't be bothered to hash passwords, they probably can't be bothered to do it right despite what the law says. After all, a hashed password table is just as bad if used incompetently, maybe worse because of a false sense of security.

      Thing stuff like failing to salt, using low grade hashes, etc.

      At least with plain-text, it's obvious security is bad. With poorly implemented "encryption", things are worse.

    24. Re:Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 1

      This would still allow attackers to log in as anyone they wanted if they got a dump of "plaintext" passwords - they would just send the hash instead.

      Only if the hashes were stored directly. Any competent website admin would add another layer of ecryption on the server side before storing the password. Any good security scheme requires defense in depth, and client side password encryption would just be one additional level. But as TFA shows, in many cases that one level would be replacing zero levels.

    25. Re:Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 2

      Indeed. The Hash is the plaintext password.

      Hashing a password only protects a users account on other websites when they're silly enough to use the same password on all websites.

      It also makes it damndably difficult to strengthen or change the hash if a problem is found. If you picked MD4, you're stuck with it forever.

      These objections are only true if the client-generated hash is stored directly. There is nothing to stop a competent admin from applying another hash on the server side.

    26. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      I was going to say, this is just plain stupid.

      The transmitting the hashed password gains you NOTHING, the hash would then be intercepted and passed by . The requirement should be that hidden fields not operate except when passed via HTTPS.

    27. Re:Storing plaintext passwords should be illegal by SirGarlon · · Score: 3, Interesting

      That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.

      There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult approach to security.

      Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    28. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      A server should never be storing encrypted passwords, either.
      Salted hashes of passwords are not encrypted.

    29. Re:Storing plaintext passwords should be illegal by mlts · · Score: 1

      What might be an idea would be client-side HTML5 code to do the MD5/SHA/bcrypt hashing [1] on the local machine before sending it up. This doesn't get rid of the need for SSL, but it does ensure that the original passphrase is extremely hard to obtain.

      If for some reason a passphrase has to be stored for some reason (perhaps it needs retrieval intact), then there is a fairly easy way to deal with that: Have a clientside app that takes the password plus a salt and encrypts it with the site's public key [2]. That way, should the key have to be recovered, it still can be, but nowhere except the client's computer does the plaintext exist without someone explicitly decrypting the encoded text.

      [1]: With a salt sent from the server.

      [2]: Assuming the private key part is stashed in a HSM and is of a decent length (8192 bits, ideally 32768 bits.)

    30. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 0

      Technically this isn't encrypting, it's hashing. Encryption can be decrypted, hashes are one way functions. Techinically then,

      encrypting them with Bcrypt [wikipedia.org] or SHA-256
      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      Isn't really an issue, because there isn't a uniform mandate to do exactly what the parent wanted. He got some technical phrasing wrong, but that's still better than hoping issues like this don't happen.

    31. Re:Storing plaintext passwords should be illegal by abigsmurf · · Score: 1

      There are a few thousand ways you could 'hide' a input field, you could maybe protect against 2 of them.

      In return for that pathetic amount of protection you would break millions of websites.

    32. Re:Storing plaintext passwords should be illegal by Bengie · · Score: 1

      Hashing the password also protects the user on the current website, assuming both the has hand the password are strong.

      Add another field to your back-end, next time the user logs in, hash using the new algorithm.

    33. Re:Storing plaintext passwords should be illegal by kwark · · Score: 1

      "Also, password is never sent in plain-text anywhere. Not even over encrypted link."

      Not true, both sides need a shared secret. So there is a little problem at account creation time/password updates. Never the less, it is much much much more secure since passwords are only transmitted once.

    34. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 1

      True. But I have to ask the same question again: Who's to say that users will be competent enough to know the difference? Users should be smart enough not to reuse passwords, and it's within reason to expect them to recognize when that little green HTTPS padlock is present, but the technical details of how this is handled internally by a legitimate company cannot and will not be understood by the average user.

      It does raise an interesting question about where the responsibility of these things lie, and given the fact that you should never give the user the benefit of the doubt, I'm with the OP on this one: the service provider should be bound by a legal responsibility to protect their clients' information. Storing cleartext passwords should've been the first no-no taught on day one of "Web Databases 101."

      Of course, there is no "Web Databases 101" (or no employers look for it) so that is why we have self-taught PHP/MySQL scrawlers come in off of the street and pull shit like this.

      --
      /* No Comment */
    35. Re:Storing plaintext passwords should be illegal by Smauler · · Score: 1

      I'm not an expert here.... but 15 years ago when I set up a fantasy football website for me and my friends, I immediately understood the security implications of storing passwords in plain text. I was working on the database directly - I didn't want to know my friend's commonly used passwords. Most of them were not too tech savvy, I don't think anyone asked me about password storage.

      All I did was store a truncated MD5 hash, IIRC. This wasn't high security stuff... I just didn't want to know their passwords, and I wanted them to know I couldn't. That site could have been compromised very very easily, via a whole load of avenues I didn't block off (SQL injection being the obvious one), but I wasn't that concerned about that.

      If I could do it 15 years ago on a shitty amateur site, there is literally no excuse. None.

    36. Re:Storing plaintext passwords should be illegal by Smauler · · Score: 2

      Hashing before sending is pointless... except for the fact that your password is not easily guessable.

      Hashing on the server side should be basic common sense, which is what this story is about.

    37. Re:Storing plaintext passwords should be illegal by blueg3 · · Score: 1

      How about you read the comment to which I was replying? I quoted the relevant part in my comment, even.

      Here, I'll do it again.

      When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. ... The default should be transmission of encrypted passwords, not plaintext.

      They're talking about hashing before sending.

      I agree that the article is about the actually-useful practice of hashing server-side. But my comment is rightfully about the useless suggestion of hashing client-side.

    38. Re:Storing plaintext passwords should be illegal by cheater512 · · Score: 1

      If the password is hashed client side and the database gets exploited, you've just given access to everyone.
      Since they can just manually use the hash from the db to log in.

      You'd need to do double hashing with per site salt to counteract it.

      Or just use SSL like everyone else suggested. Somewhat easier and doesn't have that problem.
      Or you could manually SHA1 your passwords and use the hashed copy as your password for long and pseudorandom passwords.

    39. Re:Storing plaintext passwords should be illegal by Anonymous Coward · · Score: 1

      If browsers started warning people when the submitted form contained a password field and the destination was not over SSL, developers would learn pretty fast.

    40. Re:Storing plaintext passwords should be illegal by prshaw · · Score: 1

      And who should write the law on this? Who enforces the law?
      I don't think I want the 'International Internet Police' coming to my house to see if I have applied the correct level of security to the passwords stored on my computer.
      Hell, I don't want the 'International Internet Police' coming to my house for anything!

    41. Re:Storing plaintext passwords should be illegal by OldSoldier · · Score: 1

      Agreed about making it illegal... but many US companies store passwords in clear text too. Most notably many cell phone companies store your PINs in cleartext... any agent at the carrier can see what yours is.

      This has been a pet peeve of mine for years... when companies have (are required?) privacy policies about what they do with your personal information yet there's no discussion at all as to what they do with your passwords, it's like putting a bandaid on a severed artery.

    42. Re:Storing plaintext passwords should be illegal by ElizabethGreene · · Score: 1

      More laws are rarely the answer. Saying "There should be a law" is really saying "I trust the bastions of incompetence in the halls of government to do ..." I don't trust those halls to pick up garbage, much less to regulate IT.

  3. not a excuse to not pay your taxes so suck it up by Joe_Dragon · · Score: 1

    not a excuse to not pay your taxes so suck it up and pay

  4. The Austrailian government is... by Press2ToContinue · · Score: 1

    emasculating my password, and book-ending my brain. Please make them stop.

    --
    Sent from my ENIAC
  5. It SHOULD be illegal by Jawnn · · Score: 2, Insightful

    That kind of brain-dead security fail should be illegal, and I mean pay "a fine and go to jail" felony-type illegal. It is clear understatement to say that there is simply no excuse for this to have happened.

    1. Re:It SHOULD be illegal by slackware+3.6 · · Score: 2

      So you would put the blame on the person that failed to stop someone from doing something illegal as in "felony-type illegal". Should the blame and punishment be applied to the real criminal instead? Our mailboxes don't even have locks around here. And it's not a problem. Why? Because there are severe penalties for touching someone elses mailbox. You would rather jail the owner of the postbox because they did not prevent the theft by putting a lock on the postbox. Why not jail the person breaking into the postbox? Or do you steal peoples mail (or passwords) and not want to worry about going to jail if caught? If you steal from me it is not my fault for leaving something unlocked, it is your fault for being a thief.

    2. Re:It SHOULD be illegal by bill_mcgonigle · · Score: 1

      What? No. Anal gang rape prison is disproportionate to being too dumb to hash passwords.

      This should be a simple matter of strong liability for misdeeds. With actual liability, website owners would be strongly incentivized to take out insurance, and those insurance companies would be strongly incentivized to see that their insured has good security practices.

      If you have to mandate something, make it displaying their compliance certificate on their website, preferably in a machine-readable format. But even that is pushing it, because what would the consequences be?

      Financial incentives are plenty here - there's no need for putting people in cages because they're bad at running a website.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:It SHOULD be illegal by Anonymous Coward · · Score: 0

      /thread

      You are 100% right about that entire thing.

    4. Re:It SHOULD be illegal by Bengie · · Score: 1

      Should the baby sitter be blamed for handing your child to some random homeless guy or should you blame the homeless guy?

      Gross Professional Negligence.

    5. Re:It SHOULD be illegal by Smauler · · Score: 1

      Anal gang rape prison is disproportionate

      FTFY

    6. Re:It SHOULD be illegal by Jawnn · · Score: 0

      I should not have to point this out, but storing passwords in the clear, for a large collections of users, on a system that contains sensitive data, is hardly the same thing as having a mailbox without a lock. All of those users have a reasonable expectation that their accounts will be secure. The keepers of that particular system have pissed on that trust. They should be punished for so willfully disregarding their responsibility here.

  6. Password reuse... by Anonymous Coward · · Score: 0

    If you're dumb enough to use the same password all over, you deserve to get your identity stolen with all the implicated trouble. Call it evolution.

  7. It's ok, because they're downunder by BMOC · · Score: 1, Funny

    No one looks down there.

    --
    I swear they give me mod points to shut me up.
  8. Why people reuse passwords. by slackware+3.6 · · Score: 1, Interesting

    Most of us have very busy lives and not enough time to remember long passwords especially long paswords with CAPS and numbers. It is quicker to sign up for a new gmail account than figure out that password you never used in a month. Now why don't people think of the poor abandoned email accounts tying up that username you really wanted? Now my bank and credit card pins came in the mail in plain text. Its not usually a problem. Why you ask? Because it is very illegal and you will spend a lot of time in jail. This attitude the the internet is a toy and the rules don't apply "cause yer l33t if you can break into someones computer or steal personal info" has to change. If you unlawfully access my computer or personal info you should go to jail just as if you were caught with your hand in my mailbox.

    1. Re:Why people reuse passwords. by Anonymous Coward · · Score: 0

      The banks don't care about your security. It's not because that you will go to jail that they don't encrypt the PIN it's because it would cost too much to do it right. In either case the PIN access proves it was you that accessed the account and it is your responsibility to keep it safe it's not theirs.

  9. Financial security should be stronger than secrecy by Marrow · · Score: 1

    Why is it still the case that we live in terror that someone can get our secret financial information and ruin our lives? Secret information that is frequently scattered around in the public domain anyway. At this point it should be possible to lock down financials and identities so that this problem is in the past.
    If nothing else, someone should see a business opportunity in offering that kind of security. Move your money to this bank/credit because we offer real financial protection for you. You will never be inconvenienced by the old poorly secured way of doing things again.

  10. Hashes not enough either by Todd+Knarr · · Score: 3, Insightful

    Unfortunately, as has been demonstrated recently, hashed passwords don't protect very well against attacks either if the intruder gets access to the stored passwords themselves. Faster and cheaper hardware combined with cheap storage have allowed attacks on hashed passwords that would've been infeasible only a few years ago. And hashed passwords on the back-end mean that cleartext passwords almost have to be passed over the wire where they're vulnerable to interception not just by things snooping network traffic but by malware that's inserted itself into the network stack on either end.

    And most importantly, storing passwords in the clear makes it perfectly clear that they are vulnerable to any compromise that gives an intruder access to the stored passwords. Having them hashed gives a false sense of security and the opening to argue that compromises don't have to be disclosed because the passwords are hashed and thus haven't really been compromised, even though the hash isn't going to really keep the passwords from being compromised.

    I much prefer a system that segregates passwords onto a dedicated authentication service that runs on a machine that's walled off and isolated from even the production machines except for the small hole needed for access to the authentication service (which should be written, at least the input and input-parsing portions, by professional paranoids). Then store passwords on it in the clear if needed so you can use challenge-response authentication methods that avoid needing to transmit the password itself between the client and your systems. That way your efforts to protect the passwords can be concentrated on that authentication server with it's relatively small exposed area, rather than on your entire system with it's large exposure to attacks.

    1. Re:Hashes not enough either by scorp1us · · Score: 2

      Wrong on many accounts. I have a browser plugin and website that doe password hashing in the client (via javascipt) your password is not transmitted, the hash is computed locally.

      These are still vulnerable to dictionary attacks because the dictionary can be quickly hashed. That's why the hashes int he website and plugin above is variable. You can set your hash for any number. We default at 20, which does slow the attacker down. However the attacker won't know where to stop and they are only looking at hash after hash, and having to try each one. This should also slow them down as well. never mind they have a whole dictionary to go through. The techniques combine to make a formidable computational combination. But isn't perfect. Since only your hash is sent, your password remains unknown and safe.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    2. Re:Hashes not enough either by Todd+Knarr · · Score: 1

      That sounds like a challenge/response system. Does the plug-in require that the server send a random nonce? If not, it's vulnerable to replay and pre-play attacks, since without the nonce the hash values are predictable. And with a nonce you should only need one exchange, assuming your hash algorithm is sufficiently robust (if it isn't, I'm afraid no number of repetitions will make the exchange secure).

      Note: as has been demonstrated repeatedly over the last decade, any cryptographic system that's vulnerable to something better than a brute-force attack and which depends on computational infeasibility will end up broken in short order, the only question is how quickly advances in hardware will make what was once infeasible trivial.

      Also note: the above doesn't mean that systems that are only vulnerable to a brute-force attack won't become vulnerable, only that they're the best we can do. Once hardware advances to the point where it's feasible to brute-force the key, all you can do is find an orders-of-magnitude-harder problem to base your system on.

    3. Re:Hashes not enough either by fulldecent · · Score: 1

      FYI challenge-response systems do not require storing the plaintext password

      --

      -- I was raised on the command line, bitch

    4. Re:Hashes not enough either by Sarten-X · · Score: 1

      It's not a challenge-response system at all. The website (and I assume the plugin as well) will generate a long hash value based on the website name and a different personal password. That long hash can be used as the password on a website, so if the website's breached, the user's short password is protected. It's not about maintaining the security of that particular account (which is a moot point if the server's been thoroughly hacked), but rather letting the user have one password to remember easily for all sites, without opening them up to the vulnerabilities of password reuse.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:Hashes not enough either by scorp1us · · Score: 1

      Correct!

      Also, this XKCD applies as well.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    6. Re:Hashes not enough either by Anonymous Coward · · Score: 0

      If only we had a tunable hashing algorithm, which we
      could make stronger over time as attacks get better ...

    7. Re:Hashes not enough either by TomJetland · · Score: 1

      Does a challenge-response system appear as part of the spec for html, or implemented by common web toolkits? So many websites sound as if they are rolling their own login system which simply hides the password typed in and that's it! Do Amazon, eBay or gmail use a challenge/response system?!

    8. Re:Hashes not enough either by Todd+Knarr · · Score: 1

      Can you point to one that uses a random nonce to insure that responses can't be recorded and reused and can't be predicted before the actual transaction, and that use a process where the hashed form of the password can't simply be treated as the password itself?

  11. Posting anonymous to protect myself by Anonymous Coward · · Score: 0

    It is not only illegal, but dangerous. About 10 years ago a disgruntled Taxation employee used unencrypted taxation information to mail letter bombs to people he felt had "done him wrong". My mother was meant to receive one of these bombs!

    This information should be encrypted by default.

    1. Re:Posting anonymous to protect myself by abigsmurf · · Score: 1

      People actually need to work with tax data, it has to be decrypt-able by tax office staff otherwise what's the point in it?

  12. T-Mobile does it too by Abalamahalamatandra · · Score: 1

    Or they did as of not very long ago at all - I had to recover my password on their site, and just about fell out of my chair when, instead of sending me a recovery link, they emailed me my current password.

    Nowadays that password is a KeePass-generated random one.

  13. How many had 'password' as their password? by darkonc · · Score: 1
    I once got access to the unencrypted password file for a widely used site. It was rather disturbing -- and not just because the passwords were unencrypted ("It's fur customer service purposes!"). Literally 10% of the users had 'password' as their password.

    I guess that it wasn't quite as bad as the network service provider that had 'password' as the password through their firewall.. I mean, why even have the thing, to begin with?

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  14. Google is almost as bad by Anonymous Coward · · Score: 0

    If you use Google's enterprise tools for synchronizing account credentials, your best option is to send them SHA1 hashes. Not salted SHA1 hashes, just SHA1. For a company with the computational resources Google has, that's almost the same as handing over plain text, unless the passwords are exceptionally strong.

  15. Storing PWs in Plaintext Is Okay by Anonymous Coward · · Score: 0

    LOL no who even codes this shit.

  16. Hashing is not always the best solution by abigsmurf · · Score: 2

    The information in your tax account is probably far more damaging than just your password and that is stored in plain text. If you don't trust them with your password, why the hell do you trust them with all that other information?

    Tax offices usually have to deal with a wide variety of enquiries, some of which may not be done over the phone. Passwords/secret phrases can be a nightmare over the phone, especially for someone non-technical, having plain text passwords allows you to verify that a granny who says "21 primrose hill" is their password when it's stored as "21 Primrose-hill".

    My bank (Barclays) doesn't use encrypted passwords, they use the "say the 8th and 6th letters of your password" system plus chip + pin to verify you. As they're a high priority target for phising, key logging and MITM, it is actually far safer to do this then force the entire password the whole time.

    TLDR: password hashing is an (easy) additional layer of security but it comes with its own drawbacks, isn't the be-all and end-all to security and isn't needed if security measures are strong enough.

  17. BCrypt or SHACrypt256/SHACrypt512 by jonabbey · · Score: 1

    The OP is right that there's no point in using a high speed naked hash algorithm, but BCrypt isn't the only good alternative.

    There's also SHACrypt-256 and SHACrypt-512, which have been supported in GNU LibC since October 2007.

    Wikipedia has a pretty thorough discussion of the various password hash routines that are in use on Unix/Linux systems, for that matter.

    --
    - jon

    Ganymede, a GPL'ed metadirectory for UNIX
  18. No, not SHA-256 by jonabbey · · Score: 1

    You don't want to use SHA-256 by itself, because that's a high speed unsalted hash algorithm.

    Ulrich Drepper created a good password crypt algorithm which incorporates SHA-256 or SHA-512, but the features that make it resistant to dictionary attack are the salt and the massive iterations over SHA to slow down the algorithm.

    BCrypt uses the same techniques to slow down dictionary attacks.

    --
    - jon

    Ganymede, a GPL'ed metadirectory for UNIX
  19. plaintext passwords by fyngyrz · · Score: 1

    That's not a password.... This is a password!

    --
    I've fallen off your lawn, and I can't get up.
  20. SRP by Stormy+Dragon · · Score: 1

    The Secure Remote Password protocol has been out for more than a decade now. Sites shouldn't even be storing hashed/salted passwords by this point. They should never even have possession of the actual password on the server side.

  21. It's a third party not the ATO by thedarknite · · Score: 1

    A separate company that is managing a Publication Ordering Service for the Tax Office is storing passwords in plain text. I had to help set up access to the ATO portal at my last job and it requires installing company specific certificates per user or to be running a specific security application which, requires installing company specific certificates, the for the login screen to even show up

    --
    A game has objectives and is competitive, anything else is just play
    1. Re:It's a third party not the ATO by SJ2000 · · Score: 1
      That's right, summary is completely false.

      The system is run externally by the warehouse and separately to the ATO," a spokesperson told SC....It is unable to access taxpayer information or their details. There are no financial or bank account details stored on POS.

      A case of not reading the article, it's blatant FUD.

  22. One weak reason for WHY it should really be a law by Anonymous Coward · · Score: 0

    It needs to be more than a bad idea: it needs to be illegal

    Gotta post anon here...

    I'm a programmer who maintains a website which stores plaintext passwords, though that'll be changing later today. We recently discovered that, surprise surprise, that database has been read. Yet another list of email addresses associated with plaintext passwords is out there now, and it's our fault.

    We have known about the risk for years, and it's not like I lack the expertise to do anything about it. But there's a problem: one of our use cases is that sometimes we have to tell users their forgotten password. (And you can't fix the problem and also preserve that use case.) I know, it's just as easy give people an email password reset. But that's not what we had. I don't decide the use cases or tell people, "no, you may not do that anymore. I am unilaterally taking away one of the things you wanted to sometimes do, boss."

    So the horse had to escape the barn, before fixing the barn door could be greenlit.

    I'm conflicted about whether or not there should be a law, but I have to admit something. In prior years' discussions about the topic, if I had a law to point to, and could have said, "we have to do this to comply with the law, or else if anyone ever finds out, we'll be in legal trouble (rather than merely hated)," then our own breach would have been prevented before it ever happened.

    Honestly, when you get down to it, that's really just saying I wish I could make my argument with a gun, so that I could win it. And I know that's usually a sign that you have a bad argument. "There ought to be a law" usually means the person who said it needs to be removed from lawmaking. But in this case...