Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Tax Office Stores Passwords In Clear Text

Posted by Soulskill on from the you're-doing-it-wrong dept.

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

16 of 84 comments (clear)

  1. Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 4, Insightful

    Storing passwords in readable text is a bad idea for a lot of reasons

    It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

    But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

    1. Re:Storing plaintext passwords should be illegal by characterZer0 · · Score: 4, Funny

      encrypting them with Bcrypt [wikipedia.org] or SHA-256

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      --
      Go green: turn off your refrigerator.
    2. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 4, Interesting

      But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

      --
      /* No Comment */
    3. Re:Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 2

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      Of course there is. But that solves a different problem: a password will be encrypted in transmission, but is unencryped on the other end, so the server will still receive your form with plaintext passwords. By default, input fields of type "password" should be encrypted and only the encrytped password should be sent to the server. The server should have no access to the plaintext. They can't store what they don't have in the first place.

    4. Re:Storing plaintext passwords should be illegal by dkleinsc · · Score: 3, Insightful

      Yeah, because what we really need in IT are more compliance checklists

      Yes, we do, because it's abundantly clear that there are lots of IT organizations that can't meet the basic requirements of doing the job properly.

      and more lawyers

      Yes, to deal with the cases where IT organizations skimp or lie about meeting the requirements.

      and more absolute rules

      Yes, so they know when they're in compliance and when they aren't. For example, a rule that "No password may be stored in clear text." is quite absolute, and also appears to be quite necessary.

      If it weren't a financial system that everyone in Australia is required by law to use, I'd be fine with the standards being looser, because then the damage would be less.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    5. Re:Storing plaintext passwords should be illegal by blueg3 · · Score: 3, Informative

      But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

      This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.

      Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.

      If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!

    6. Re:Storing plaintext passwords should be illegal by Chris+Mattern · · Score: 4, Interesting

      The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

      "Where are your encrypted passwords?"
      "We use PKI keys, we don't have *any* passwords"
      "So you don't have any encrypted passwords?"
      "No, we don't need them."
      "Off to jail with you, then."

    7. Re:Storing plaintext passwords should be illegal by Bert64 · · Score: 2

      If you encrypt/hash the data before you send it then you no longer need the plaintext, the hash becomes the plaintext equivalent. Also any sensible passwd hashing algorithm will be salted, so you would need to leak the user's salt *before* they authenticate.

      While not illegal, many security guidelines (some of which are mandatory within certain circles) require that passwords be appropriately hashed etc... Windows generally doesn't comply with such guidelines (stores plaintext in memory, uses unsalted hash, allows hash to be used instead of plaintext) etc, so many such guidelines make special exception for windows... But anyone else has to comply, so clearly a ridiculous situation.

      So, anyone running windows is storing their user passwords in a plaintext equivalent form.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    8. Re:Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 2

      Indeed. The Hash is the plaintext password.

      Hashing a password only protects a users account on other websites when they're silly enough to use the same password on all websites.

      It also makes it damndably difficult to strengthen or change the hash if a problem is found. If you picked MD4, you're stuck with it forever.

      These objections are only true if the client-generated hash is stored directly. There is nothing to stop a competent admin from applying another hash on the server side.

    9. Re:Storing plaintext passwords should be illegal by SirGarlon · · Score: 3, Interesting

      That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.

      There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult approach to security.

      Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    10. Re:Storing plaintext passwords should be illegal by Smauler · · Score: 2

      Hashing before sending is pointless... except for the fact that your password is not easily guessable.

      Hashing on the server side should be basic common sense, which is what this story is about.

  2. It SHOULD be illegal by Jawnn · · Score: 2, Insightful

    That kind of brain-dead security fail should be illegal, and I mean pay "a fine and go to jail" felony-type illegal. It is clear understatement to say that there is simply no excuse for this to have happened.

    1. Re:It SHOULD be illegal by slackware+3.6 · · Score: 2

      So you would put the blame on the person that failed to stop someone from doing something illegal as in "felony-type illegal". Should the blame and punishment be applied to the real criminal instead? Our mailboxes don't even have locks around here. And it's not a problem. Why? Because there are severe penalties for touching someone elses mailbox. You would rather jail the owner of the postbox because they did not prevent the theft by putting a lock on the postbox. Why not jail the person breaking into the postbox? Or do you steal peoples mail (or passwords) and not want to worry about going to jail if caught? If you steal from me it is not my fault for leaving something unlocked, it is your fault for being a thief.

  3. Hashes not enough either by Todd+Knarr · · Score: 3, Insightful

    Unfortunately, as has been demonstrated recently, hashed passwords don't protect very well against attacks either if the intruder gets access to the stored passwords themselves. Faster and cheaper hardware combined with cheap storage have allowed attacks on hashed passwords that would've been infeasible only a few years ago. And hashed passwords on the back-end mean that cleartext passwords almost have to be passed over the wire where they're vulnerable to interception not just by things snooping network traffic but by malware that's inserted itself into the network stack on either end.

    And most importantly, storing passwords in the clear makes it perfectly clear that they are vulnerable to any compromise that gives an intruder access to the stored passwords. Having them hashed gives a false sense of security and the opening to argue that compromises don't have to be disclosed because the passwords are hashed and thus haven't really been compromised, even though the hash isn't going to really keep the passwords from being compromised.

    I much prefer a system that segregates passwords onto a dedicated authentication service that runs on a machine that's walled off and isolated from even the production machines except for the small hole needed for access to the authentication service (which should be written, at least the input and input-parsing portions, by professional paranoids). Then store passwords on it in the clear if needed so you can use challenge-response authentication methods that avoid needing to transmit the password itself between the client and your systems. That way your efforts to protect the passwords can be concentrated on that authentication server with it's relatively small exposed area, rather than on your entire system with it's large exposure to attacks.

    1. Re:Hashes not enough either by scorp1us · · Score: 2

      Wrong on many accounts. I have a browser plugin and website that doe password hashing in the client (via javascipt) your password is not transmitted, the hash is computed locally.

      These are still vulnerable to dictionary attacks because the dictionary can be quickly hashed. That's why the hashes int he website and plugin above is variable. You can set your hash for any number. We default at 20, which does slow the attacker down. However the attacker won't know where to stop and they are only looking at hash after hash, and having to try each one. This should also slow them down as well. never mind they have a whole dictionary to go through. The techniques combine to make a formidable computational combination. But isn't perfect. Since only your hash is sent, your password remains unknown and safe.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  4. Hashing is not always the best solution by abigsmurf · · Score: 2

    The information in your tax account is probably far more damaging than just your password and that is stored in plain text. If you don't trust them with your password, why the hell do you trust them with all that other information?

    Tax offices usually have to deal with a wide variety of enquiries, some of which may not be done over the phone. Passwords/secret phrases can be a nightmare over the phone, especially for someone non-technical, having plain text passwords allows you to verify that a granny who says "21 primrose hill" is their password when it's stored as "21 Primrose-hill".

    My bank (Barclays) doesn't use encrypted passwords, they use the "say the 8th and 6th letters of your password" system plus chip + pin to verify you. As they're a high priority target for phising, key logging and MITM, it is actually far safer to do this then force the entire password the whole time.

    TLDR: password hashing is an (easy) additional layer of security but it comes with its own drawbacks, isn't the be-all and end-all to security and isn't needed if security measures are strong enough.