Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Tax Office Stores Passwords In Clear Text

Posted by Soulskill on from the you're-doing-it-wrong dept.

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

8 of 84 comments (clear)

  1. Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 4, Insightful

    Storing passwords in readable text is a bad idea for a lot of reasons

    It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

    But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

    1. Re:Storing plaintext passwords should be illegal by characterZer0 · · Score: 4, Funny

      encrypting them with Bcrypt [wikipedia.org] or SHA-256

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      --
      Go green: turn off your refrigerator.
    2. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 4, Interesting

      But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

      --
      /* No Comment */
    3. Re:Storing plaintext passwords should be illegal by dkleinsc · · Score: 3, Insightful

      Yeah, because what we really need in IT are more compliance checklists

      Yes, we do, because it's abundantly clear that there are lots of IT organizations that can't meet the basic requirements of doing the job properly.

      and more lawyers

      Yes, to deal with the cases where IT organizations skimp or lie about meeting the requirements.

      and more absolute rules

      Yes, so they know when they're in compliance and when they aren't. For example, a rule that "No password may be stored in clear text." is quite absolute, and also appears to be quite necessary.

      If it weren't a financial system that everyone in Australia is required by law to use, I'd be fine with the standards being looser, because then the damage would be less.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    4. Re:Storing plaintext passwords should be illegal by blueg3 · · Score: 3, Informative

      But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

      This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.

      Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.

      If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!

    5. Re:Storing plaintext passwords should be illegal by Chris+Mattern · · Score: 4, Interesting

      The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

      "Where are your encrypted passwords?"
      "We use PKI keys, we don't have *any* passwords"
      "So you don't have any encrypted passwords?"
      "No, we don't need them."
      "Off to jail with you, then."

    6. Re:Storing plaintext passwords should be illegal by SirGarlon · · Score: 3, Interesting

      That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.

      There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult approach to security.

      Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  2. Hashes not enough either by Todd+Knarr · · Score: 3, Insightful

    Unfortunately, as has been demonstrated recently, hashed passwords don't protect very well against attacks either if the intruder gets access to the stored passwords themselves. Faster and cheaper hardware combined with cheap storage have allowed attacks on hashed passwords that would've been infeasible only a few years ago. And hashed passwords on the back-end mean that cleartext passwords almost have to be passed over the wire where they're vulnerable to interception not just by things snooping network traffic but by malware that's inserted itself into the network stack on either end.

    And most importantly, storing passwords in the clear makes it perfectly clear that they are vulnerable to any compromise that gives an intruder access to the stored passwords. Having them hashed gives a false sense of security and the opening to argue that compromises don't have to be disclosed because the passwords are hashed and thus haven't really been compromised, even though the hash isn't going to really keep the passwords from being compromised.

    I much prefer a system that segregates passwords onto a dedicated authentication service that runs on a machine that's walled off and isolated from even the production machines except for the small hole needed for access to the authentication service (which should be written, at least the input and input-parsing portions, by professional paranoids). Then store passwords on it in the clear if needed so you can use challenge-response authentication methods that avoid needing to transmit the password itself between the client and your systems. That way your efforts to protect the passwords can be concentrated on that authentication server with it's relatively small exposed area, rather than on your entire system with it's large exposure to attacks.