Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Tax Office Stores Passwords In Clear Text

Posted by Soulskill on from the you're-doing-it-wrong dept.

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

4 of 84 comments (clear)

  1. Storing plaintext passwords should be illegal by ShanghaiBill · · Score: 4, Insightful

    Storing passwords in readable text is a bad idea for a lot of reasons

    It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

    But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

    1. Re:Storing plaintext passwords should be illegal by characterZer0 · · Score: 4, Funny

      encrypting them with Bcrypt [wikipedia.org] or SHA-256

      If only there were a widely deployed standard way of encrypting data submitted to web servers.

      --
      Go green: turn off your refrigerator.
    2. Re:Storing plaintext passwords should be illegal by Tarlus · · Score: 4, Interesting

      But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

      --
      /* No Comment */
    3. Re:Storing plaintext passwords should be illegal by Chris+Mattern · · Score: 4, Interesting

      The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

      "Where are your encrypted passwords?"
      "We use PKI keys, we don't have *any* passwords"
      "So you don't have any encrypted passwords?"
      "No, we don't need them."
      "Off to jail with you, then."