Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australian Tax Office Stores Passwords In Clear Text

Soulskill posted about a year and a half ago | from the you're-doing-it-wrong dept.

Australia 84

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

cancel ×

84 comments

Ugh (0, Offtopic)

systemidx (2708649) | about a year and a half ago | (#43034585)

The slashvertisments are getting less and less subtle these days.

Re:Ugh (1)

Tarlus (1000874) | about a year and a half ago | (#43035325)

Can't tell what's being Slashvertised here...

Re:Ugh (0)

Anonymous Coward | about a year and a half ago | (#43039647)

It's costcentral.com [costcentral.com] . They also use clear text passwords, and send you the password by email.

Storing plaintext passwords should be illegal (4, Insightful)

ShanghaiBill (739463) | about a year and a half ago | (#43034597)

Storing passwords in readable text is a bad idea for a lot of reasons

It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt [wikipedia.org] or SHA-256. [wikipedia.org] When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

Re:Storing plaintext passwords should be illegal (4, Funny)

characterZer0 (138196) | about a year and a half ago | (#43034715)

encrypting them with Bcrypt [wikipedia.org] or SHA-256

If only there were a widely deployed standard way of encrypting data submitted to web servers.

Re:Storing plaintext passwords should be illegal (4, Interesting)

Tarlus (1000874) | about a year and a half ago | (#43034857)

But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

Re:Storing plaintext passwords should be illegal (1)

characterZer0 (138196) | about a year and a half ago | (#43035373)

The user has no control over how the server hashes passwords. The user has a choice not to submit unencrypted data.

Unless, of course, the government mandates it.

Re:Storing plaintext passwords should be illegal (1)

Tarlus (1000874) | about a year and a half ago | (#43037583)

True. But I have to ask the same question again: Who's to say that users will be competent enough to know the difference? Users should be smart enough not to reuse passwords, and it's within reason to expect them to recognize when that little green HTTPS padlock is present, but the technical details of how this is handled internally by a legitimate company cannot and will not be understood by the average user.

It does raise an interesting question about where the responsibility of these things lie, and given the fact that you should never give the user the benefit of the doubt, I'm with the OP on this one: the service provider should be bound by a legal responsibility to protect their clients' information. Storing cleartext passwords should've been the first no-no taught on day one of "Web Databases 101."

Of course, there is no "Web Databases 101" (or no employers look for it) so that is why we have self-taught PHP/MySQL scrawlers come in off of the street and pull shit like this.

plaintext passwords (1)

fyngyrz (762201) | about a year and a half ago | (#43038415)

That's not a password.... This is a password!

Re:Storing plaintext passwords should be illegal (1)

Anonymous Coward | about a year and a half ago | (#43038521)

If browsers started warning people when the submitted form contained a password field and the destination was not over SSL, developers would learn pretty fast.

Re:Storing plaintext passwords should be illegal (2)

ShanghaiBill (739463) | about a year and a half ago | (#43034929)

If only there were a widely deployed standard way of encrypting data submitted to web servers.

Of course there is. [wikipedia.org] But that solves a different problem: a password will be encrypted in transmission, but is unencryped on the other end, so the server will still receive your form with plaintext passwords. By default, input fields of type "password" should be encrypted and only the encrytped password should be sent to the server. The server should have no access to the plaintext. They can't store what they don't have in the first place.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43035529)

Digest authentication [wikipedia.org] has solved this over a decade ago. And it actually is standard. However, no one uses it mostly because you can't log out using it. And IE had incompatible implementation that only worked with IIS. I don't know if this still is the case. However, It wouldn't require much from web browsers to add a special logout button that removes Basic Authentication as well as Digest Authentication states from sites that match the screen viewed at the time. The fact that it uses MD5 might be a problem but it would still be a lot more secure than what Australian Tax Office is doing.

In Digest Authentication, you don't even store a password. You store a hash that is derived from a hash of your domain and has of the password. Therefore the hash is different for each domain as well. Also, password is never sent in plain-text anywhere. Not even over encrypted link. Therefore malicuous sites that collect passwords and try to use them on other sites don't get any or are easily identified as such sites. There are even methods to prevent reply attack so you can quite safely use it over regular unencrypted HTTP link as well. Of course, the security would be compromised in other ways if you did that.

Re:Storing plaintext passwords should be illegal (1)

kwark (512736) | about a year and a half ago | (#43037305)

"Also, password is never sent in plain-text anywhere. Not even over encrypted link."

Not true, both sides need a shared secret. So there is a little problem at account creation time/password updates. Never the less, it is much much much more secure since passwords are only transmitted once.

Re:Storing plaintext passwords should be illegal (1)

Tarlus (1000874) | about a year and a half ago | (#43035619)

Also, having a web browser submit a hashed password without SSL would do nothing to protect your account. It could still be intercepted and used by a malicious third party. They just wouldn't know right out in the open what the original password is.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43035773)

I was going to say, this is just plain stupid.

The transmitting the hashed password gains you NOTHING, the hash would then be intercepted and passed by . The requirement should be that hidden fields not operate except when passed via HTTPS.

Re:Storing plaintext passwords should be illegal (1)

Anonymous Coward | about a year and a half ago | (#43034763)

I thnk you mean "password" fields, not hidden. Hidden input fields are used to transmit all sorts of data, and rarely is it sensitive enough to warrant client-side encryption. They generally dont even carry data that was actually submitted by the user.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43034811)

When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256.

This would still allow attackers to log in as anyone they wanted if they got a dump of "plaintext" passwords - they would just send the hash instead.
Bcrypt additionally includes a salt -- which is good for password storage, but means you can't compare two Bcrypt hashes to check whether they're the same password. The browser would need to use the same salt every time you logged in to a site.

I think most users would be just as well served with a decent password manager.

Re:Storing plaintext passwords should be illegal (1)

ShanghaiBill (739463) | about a year and a half ago | (#43035649)

This would still allow attackers to log in as anyone they wanted if they got a dump of "plaintext" passwords - they would just send the hash instead.

Only if the hashes were stored directly. Any competent website admin would add another layer of ecryption on the server side before storing the password. Any good security scheme requires defense in depth, and client side password encryption would just be one additional level. But as TFA shows, in many cases that one level would be replacing zero levels.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43034819)

Yes, let's have the browser take care of the bcrypt step so that the website can write the result in plaintext and be fine! Brillant!!!

Re:Storing plaintext passwords should be illegal (1)

SirGarlon (845873) | about a year and a half ago | (#43034835)

It needs to be more than a bad idea: it needs to be illegal

Yeah, because what we really need in IT are more compliance checklists and more lawyers and more absolute rules that never get revisited or updated.

Re:Storing plaintext passwords should be illegal (1)

JDG1980 (2438906) | about a year and a half ago | (#43035019)

Yeah, because what we really need in IT are more compliance checklists and more lawyers and more absolute rules that never get revisited or updated.

Under what circumstances do you believe it is appropriate, or would be appropriate at any time in the future, for a website to store passwords in clear-text?

Re:Storing plaintext passwords should be illegal (4, Interesting)

Chris Mattern (191822) | about a year and a half ago | (#43035163)

The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

"Where are your encrypted passwords?"
"We use PKI keys, we don't have *any* passwords"
"So you don't have any encrypted passwords?"
"No, we don't need them."
"Off to jail with you, then."

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43036273)

A server should never be storing encrypted passwords, either.
Salted hashes of passwords are not encrypted.

Re:Storing plaintext passwords should be illegal (3, Interesting)

SirGarlon (845873) | about a year and a half ago | (#43035841)

That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.

There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult [wikipedia.org] approach to security.

Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.

Re:Storing plaintext passwords should be illegal (1)

Smauler (915644) | about a year and a half ago | (#43037651)

I'm not an expert here.... but 15 years ago when I set up a fantasy football website for me and my friends, I immediately understood the security implications of storing passwords in plain text. I was working on the database directly - I didn't want to know my friend's commonly used passwords. Most of them were not too tech savvy, I don't think anyone asked me about password storage.

All I did was store a truncated MD5 hash, IIRC. This wasn't high security stuff... I just didn't want to know their passwords, and I wanted them to know I couldn't. That site could have been compromised very very easily, via a whole load of avenues I didn't block off (SQL injection being the obvious one), but I wasn't that concerned about that.

If I could do it 15 years ago on a shitty amateur site, there is literally no excuse. None.

Re:Storing plaintext passwords should be illegal (3, Insightful)

dkleinsc (563838) | about a year and a half ago | (#43035085)

Yeah, because what we really need in IT are more compliance checklists

Yes, we do, because it's abundantly clear that there are lots of IT organizations that can't meet the basic requirements of doing the job properly.

and more lawyers

Yes, to deal with the cases where IT organizations skimp or lie about meeting the requirements.

and more absolute rules

Yes, so they know when they're in compliance and when they aren't. For example, a rule that "No password may be stored in clear text." is quite absolute, and also appears to be quite necessary.

If it weren't a financial system that everyone in Australia is required by law to use, I'd be fine with the standards being looser, because then the damage would be less.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43034887)

Maybe you were using the word "encrypting" loosely, but Bcrypt and SHA-256 don't do encryption.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43035377)

His non-working idea works in his mind, so give him a break. Everyone can do cryptography thanks to Dunning and Kruger. Then all you need for a +5 score is a catchy subject and 2 wikipedia links.

Re:Storing plaintext passwords should be illegal (1)

Anonymous Coward | about a year and a half ago | (#43034891)

Storing passwords in readable text is a bad idea for a lot of reasons

It needs to be more than a bad idea: it needs to be illegal[.]

My god son, you've just made possession of Post-It Notes into a felony.

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43034893)

It doesn't matter at all about the hidden fields, just make it all SSL and all the fields are encrypted. What we need is to get rid of the password field and replace it with a PKI field, allowing websites to accept a public key to set the password, and users sign the websites token to perform a login. Get rid of the idea of a password for a site entirely, and don't rely on a third party. If you never give them a password you never have to worry about them storing one.

The DoD already does this, though they use SSL to handle it (the SSL handshake supports it, so they just have their websites locked to SSL only with a PKI cert required which means you get a prompt trying to access the page), additionally the private key can be stored on a removable smart card which generates it's own certs used for signing from that, meaning your computer never receives a copy of the private key (thus it can't be copied off the system).

Re:Storing plaintext passwords should be illegal (1)

rminsk (831757) | about a year and a half ago | (#43034911)

...browsers should not allow "hidden" fields to be transmitted directly, instead should have a default action of encrypting them with Bcrypt or SHA-256.

So now I steal the database of hashes that the browser transmitted. Just as good as having the plaintext. Now all I need to do is send the hash.

Re:Storing plaintext passwords should be illegal (1)

rtaylor (70602) | about a year and a half ago | (#43035487)

Indeed. The Hash is the plaintext password.

Hashing a password only protects a users account on other websites when they're silly enough to use the same password on all websites.

It also makes it damndably difficult to strengthen or change the hash if a problem is found. If you picked MD4, you're stuck with it forever.

I don't know what the solution is but hashing the password in the DB has created as many problems as it solved for me.

Re:Storing plaintext passwords should be illegal (2)

ShanghaiBill (739463) | about a year and a half ago | (#43035749)

Indeed. The Hash is the plaintext password.

Hashing a password only protects a users account on other websites when they're silly enough to use the same password on all websites.

It also makes it damndably difficult to strengthen or change the hash if a problem is found. If you picked MD4, you're stuck with it forever.

These objections are only true if the client-generated hash is stored directly. There is nothing to stop a competent admin from applying another hash on the server side.

Re:Storing plaintext passwords should be illegal (1)

Bengie (1121981) | about a year and a half ago | (#43036885)

Hashing the password also protects the user on the current website, assuming both the has hand the password are strong.

Add another field to your back-end, next time the user logs in, hash using the new algorithm.

Re:Storing plaintext passwords should be illegal (3, Informative)

blueg3 (192743) | about a year and a half ago | (#43035153)

But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt [wikipedia.org] or SHA-256. [wikipedia.org] When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.

This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.

Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.

If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!

Re:Storing plaintext passwords should be illegal (2)

Smauler (915644) | about a year and a half ago | (#43037797)

Hashing before sending is pointless... except for the fact that your password is not easily guessable.

Hashing on the server side should be basic common sense, which is what this story is about.

Re:Storing plaintext passwords should be illegal (1)

blueg3 (192743) | about a year and a half ago | (#43037963)

How about you read the comment to which I was replying? I quoted the relevant part in my comment, even.

Here, I'll do it again.

When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. ... The default should be transmission of encrypted passwords, not plaintext.

They're talking about hashing before sending.

I agree that the article is about the actually-useful practice of hashing server-side. But my comment is rightfully about the useless suggestion of hashing client-side.

Re:Storing plaintext passwords should be illegal (2)

Bert64 (520050) | about a year and a half ago | (#43035199)

If you encrypt/hash the data before you send it then you no longer need the plaintext, the hash becomes the plaintext equivalent. Also any sensible passwd hashing algorithm will be salted, so you would need to leak the user's salt *before* they authenticate.

While not illegal, many security guidelines (some of which are mandatory within certain circles) require that passwords be appropriately hashed etc... Windows generally doesn't comply with such guidelines (stores plaintext in memory, uses unsalted hash, allows hash to be used instead of plaintext) etc, so many such guidelines make special exception for windows... But anyone else has to comply, so clearly a ridiculous situation.

So, anyone running windows is storing their user passwords in a plaintext equivalent form.

Re:Storing plaintext passwords should be illegal (1)

DickBreath (207180) | about a year and a half ago | (#43035213)

Yes, unencrypted passwords should be illegal. So use Rot-13.

Seriously, there should probably be some minimum requirements for encryption.

But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt [wikipedia.org] or SHA-256.

Be careful that you can still work with older browsers. While browser improvements are great, they don't get deployed everywhere overnight. Another approach is to have some hidden fields that are part of the submitted form, and some that are not. Use Javascript to unscramble the received fields upon page load, and to re-scramble them prior to submitting back to the server. This approach may not work for general purpose websites open to the public, but works great for web based business applications where Javascript is already almost universally required.

Re:Storing plaintext passwords should be illegal (1)

tlhIngan (30335) | about a year and a half ago | (#43035633)

Storing passwords in readable text is a bad idea for a lot of reasons

It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.

One of the problems I see is if they can't be bothered to hash passwords, they probably can't be bothered to do it right despite what the law says. After all, a hashed password table is just as bad if used incompetently, maybe worse because of a false sense of security.

Thing stuff like failing to salt, using low grade hashes, etc.

At least with plain-text, it's obvious security is bad. With poorly implemented "encryption", things are worse.

Re:Storing plaintext passwords should be illegal (1)

mlts (1038732) | about a year and a half ago | (#43036309)

What might be an idea would be client-side HTML5 code to do the MD5/SHA/bcrypt hashing [1] on the local machine before sending it up. This doesn't get rid of the need for SSL, but it does ensure that the original passphrase is extremely hard to obtain.

If for some reason a passphrase has to be stored for some reason (perhaps it needs retrieval intact), then there is a fairly easy way to deal with that: Have a clientside app that takes the password plus a salt and encrypts it with the site's public key [2]. That way, should the key have to be recovered, it still can be, but nowhere except the client's computer does the plaintext exist without someone explicitly decrypting the encoded text.

[1]: With a salt sent from the server.

[2]: Assuming the private key part is stashed in a HSM and is of a decent length (8192 bits, ideally 32768 bits.)

Re:Storing plaintext passwords should be illegal (0)

Anonymous Coward | about a year and a half ago | (#43036325)

Technically this isn't encrypting, it's hashing. Encryption can be decrypted, hashes are one way functions. Techinically then,

encrypting them with Bcrypt [wikipedia.org] or SHA-256
If only there were a widely deployed standard way of encrypting data submitted to web servers.

Isn't really an issue, because there isn't a uniform mandate to do exactly what the parent wanted. He got some technical phrasing wrong, but that's still better than hoping issues like this don't happen.

Re:Storing plaintext passwords should be illegal (1)

abigsmurf (919188) | about a year and a half ago | (#43036611)

There are a few thousand ways you could 'hide' a input field, you could maybe protect against 2 of them.

In return for that pathetic amount of protection you would break millions of websites.

No, not SHA-256 (1)

jonabbey (2498) | about a year and a half ago | (#43037279)

You don't want to use SHA-256 by itself, because that's a high speed unsalted hash algorithm.

Ulrich Drepper created a good password crypt algorithm which incorporates SHA-256 or SHA-512, but the features that make it resistant to dictionary attack are the salt and the massive iterations over SHA to slow down the algorithm.

BCrypt uses the same techniques to slow down dictionary attacks.

Re:Storing plaintext passwords should be illegal (1)

cheater512 (783349) | about a year and a half ago | (#43038071)

If the password is hashed client side and the database gets exploited, you've just given access to everyone.
Since they can just manually use the hash from the db to log in.

You'd need to do double hashing with per site salt to counteract it.

Or just use SSL like everyone else suggested. Somewhat easier and doesn't have that problem.
Or you could manually SHA1 your passwords and use the hashed copy as your password for long and pseudorandom passwords.

Re:Storing plaintext passwords should be illegal (1)

prshaw (712950) | about a year and a half ago | (#43038557)

And who should write the law on this? Who enforces the law?
I don't think I want the 'International Internet Police' coming to my house to see if I have applied the correct level of security to the passwords stored on my computer.
Hell, I don't want the 'International Internet Police' coming to my house for anything!

Re:Storing plaintext passwords should be illegal (1)

OldSoldier (168889) | about a year and a half ago | (#43040581)

Agreed about making it illegal... but many US companies store passwords in clear text too. Most notably many cell phone companies store your PINs in cleartext... any agent at the carrier can see what yours is.

This has been a pet peeve of mine for years... when companies have (are required?) privacy policies about what they do with your personal information yet there's no discussion at all as to what they do with your passwords, it's like putting a bandaid on a severed artery.

One weak reason for WHY it should really be a law (0)

Anonymous Coward | about a year ago | (#43047291)

It needs to be more than a bad idea: it needs to be illegal

Gotta post anon here...

I'm a programmer who maintains a website which stores plaintext passwords, though that'll be changing later today. We recently discovered that, surprise surprise, that database has been read. Yet another list of email addresses associated with plaintext passwords is out there now, and it's our fault.

We have known about the risk for years, and it's not like I lack the expertise to do anything about it. But there's a problem: one of our use cases is that sometimes we have to tell users their forgotten password. (And you can't fix the problem and also preserve that use case.) I know, it's just as easy give people an email password reset. But that's not what we had. I don't decide the use cases or tell people, "no, you may not do that anymore. I am unilaterally taking away one of the things you wanted to sometimes do, boss."

So the horse had to escape the barn, before fixing the barn door could be greenlit.

I'm conflicted about whether or not there should be a law, but I have to admit something. In prior years' discussions about the topic, if I had a law to point to, and could have said, "we have to do this to comply with the law, or else if anyone ever finds out, we'll be in legal trouble (rather than merely hated)," then our own breach would have been prevented before it ever happened.

Honestly, when you get down to it, that's really just saying I wish I could make my argument with a gun, so that I could win it. And I know that's usually a sign that you have a bad argument. "There ought to be a law" usually means the person who said it needs to be removed from lawmaking. But in this case...

Re:Storing plaintext passwords should be illegal (1)

ElizabethGreene (1185405) | about a year ago | (#43094789)

More laws are rarely the answer. Saying "There should be a law" is really saying "I trust the bastions of incompetence in the halls of government to do ..." I don't trust those halls to pick up garbage, much less to regulate IT.

not a excuse to not pay your taxes so suck it up (1)

Joe_Dragon (2206452) | about a year and a half ago | (#43034609)

not a excuse to not pay your taxes so suck it up and pay

The Austrailian government is... (1)

Press2ToContinue (2424598) | about a year and a half ago | (#43034631)

emasculating my password, and book-ending my brain. Please make them stop.

Users should never reuse passwords... (-1)

Anonymous Coward | about a year and a half ago | (#43034671)

But they will continue to do so, no matter the risk.

It SHOULD be illegal (2, Insightful)

Jawnn (445279) | about a year and a half ago | (#43034751)

That kind of brain-dead security fail should be illegal, and I mean pay "a fine and go to jail" felony-type illegal. It is clear understatement to say that there is simply no excuse for this to have happened.

Re:It SHOULD be illegal (2)

slackware 3.6 (2524328) | about a year and a half ago | (#43035191)

So you would put the blame on the person that failed to stop someone from doing something illegal as in "felony-type illegal". Should the blame and punishment be applied to the real criminal instead? Our mailboxes don't even have locks around here. And it's not a problem. Why? Because there are severe penalties for touching someone elses mailbox. You would rather jail the owner of the postbox because they did not prevent the theft by putting a lock on the postbox. Why not jail the person breaking into the postbox? Or do you steal peoples mail (or passwords) and not want to worry about going to jail if caught? If you steal from me it is not my fault for leaving something unlocked, it is your fault for being a thief.

Re:It SHOULD be illegal (1)

Bengie (1121981) | about a year and a half ago | (#43036915)

Should the baby sitter be blamed for handing your child to some random homeless guy or should you blame the homeless guy?

Gross Professional Negligence.

Re:It SHOULD be illegal (0)

Jawnn (445279) | about a year and a half ago | (#43037989)

I should not have to point this out, but storing passwords in the clear, for a large collections of users, on a system that contains sensitive data, is hardly the same thing as having a mailbox without a lock. All of those users have a reasonable expectation that their accounts will be secure. The keepers of that particular system have pissed on that trust. They should be punished for so willfully disregarding their responsibility here.

Re:It SHOULD be illegal (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43035745)

What? No. Anal gang rape prison is disproportionate to being too dumb to hash passwords.

This should be a simple matter of strong liability for misdeeds. With actual liability, website owners would be strongly incentivized to take out insurance, and those insurance companies would be strongly incentivized to see that their insured has good security practices.

If you have to mandate something, make it displaying their compliance certificate on their website, preferably in a machine-readable format. But even that is pushing it, because what would the consequences be?

Financial incentives are plenty here - there's no need for putting people in cages because they're bad at running a website.

Re:It SHOULD be illegal (0)

Anonymous Coward | about a year and a half ago | (#43036601)

/thread

You are 100% right about that entire thing.

Re:It SHOULD be illegal (1)

Smauler (915644) | about a year and a half ago | (#43037819)

Anal gang rape prison is disproportionate

FTFY

Password reuse... (0)

Anonymous Coward | about a year and a half ago | (#43034785)

If you're dumb enough to use the same password all over, you deserve to get your identity stolen with all the implicated trouble. Call it evolution.

It's ok, because they're downunder (1, Funny)

BMOC (2478408) | about a year and a half ago | (#43034877)

No one looks down there.

Why people reuse passwords. (1, Interesting)

slackware 3.6 (2524328) | about a year and a half ago | (#43034915)

Most of us have very busy lives and not enough time to remember long passwords especially long paswords with CAPS and numbers. It is quicker to sign up for a new gmail account than figure out that password you never used in a month. Now why don't people think of the poor abandoned email accounts tying up that username you really wanted? Now my bank and credit card pins came in the mail in plain text. Its not usually a problem. Why you ask? Because it is very illegal and you will spend a lot of time in jail. This attitude the the internet is a toy and the rules don't apply "cause yer l33t if you can break into someones computer or steal personal info" has to change. If you unlawfully access my computer or personal info you should go to jail just as if you were caught with your hand in my mailbox.

Re:Why people reuse passwords. (0)

Anonymous Coward | about a year and a half ago | (#43035699)

The banks don't care about your security. It's not because that you will go to jail that they don't encrypt the PIN it's because it would cost too much to do it right. In either case the PIN access proves it was you that accessed the account and it is your responsibility to keep it safe it's not theirs.

Financial security should be stronger than secrecy (1)

Marrow (195242) | about a year and a half ago | (#43035073)

Why is it still the case that we live in terror that someone can get our secret financial information and ruin our lives? Secret information that is frequently scattered around in the public domain anyway. At this point it should be possible to lock down financials and identities so that this problem is in the past.
If nothing else, someone should see a business opportunity in offering that kind of security. Move your money to this bank/credit because we offer real financial protection for you. You will never be inconvenienced by the old poorly secured way of doing things again.

Hashes not enough either (3, Insightful)

Todd Knarr (15451) | about a year and a half ago | (#43035197)

Unfortunately, as has been demonstrated recently, hashed passwords don't protect very well against attacks either if the intruder gets access to the stored passwords themselves. Faster and cheaper hardware combined with cheap storage have allowed attacks on hashed passwords that would've been infeasible only a few years ago. And hashed passwords on the back-end mean that cleartext passwords almost have to be passed over the wire where they're vulnerable to interception not just by things snooping network traffic but by malware that's inserted itself into the network stack on either end.

And most importantly, storing passwords in the clear makes it perfectly clear that they are vulnerable to any compromise that gives an intruder access to the stored passwords. Having them hashed gives a false sense of security and the opening to argue that compromises don't have to be disclosed because the passwords are hashed and thus haven't really been compromised, even though the hash isn't going to really keep the passwords from being compromised.

I much prefer a system that segregates passwords onto a dedicated authentication service that runs on a machine that's walled off and isolated from even the production machines except for the small hole needed for access to the authentication service (which should be written, at least the input and input-parsing portions, by professional paranoids). Then store passwords on it in the clear if needed so you can use challenge-response authentication methods that avoid needing to transmit the password itself between the client and your systems. That way your efforts to protect the passwords can be concentrated on that authentication server with it's relatively small exposed area, rather than on your entire system with it's large exposure to attacks.

Re:Hashes not enough either (2)

scorp1us (235526) | about a year and a half ago | (#43035855)

Wrong on many accounts. I have a browser plugin [crossrider.com] and website [passhasher.com] that doe password hashing in the client (via javascipt) your password is not transmitted, the hash is computed locally.

These are still vulnerable to dictionary attacks because the dictionary can be quickly hashed. That's why the hashes int he website and plugin above is variable. You can set your hash for any number. We default at 20, which does slow the attacker down. However the attacker won't know where to stop and they are only looking at hash after hash, and having to try each one. This should also slow them down as well. never mind they have a whole dictionary to go through. The techniques combine to make a formidable computational combination. But isn't perfect. Since only your hash is sent, your password remains unknown and safe.

Re:Hashes not enough either (1)

Todd Knarr (15451) | about a year and a half ago | (#43036211)

That sounds like a challenge/response system. Does the plug-in require that the server send a random nonce? If not, it's vulnerable to replay and pre-play attacks, since without the nonce the hash values are predictable. And with a nonce you should only need one exchange, assuming your hash algorithm is sufficiently robust (if it isn't, I'm afraid no number of repetitions will make the exchange secure).

Note: as has been demonstrated repeatedly over the last decade, any cryptographic system that's vulnerable to something better than a brute-force attack and which depends on computational infeasibility will end up broken in short order, the only question is how quickly advances in hardware will make what was once infeasible trivial.

Also note: the above doesn't mean that systems that are only vulnerable to a brute-force attack won't become vulnerable, only that they're the best we can do. Once hardware advances to the point where it's feasible to brute-force the key, all you can do is find an orders-of-magnitude-harder problem to base your system on.

Re:Hashes not enough either (1)

Sarten-X (1102295) | about a year and a half ago | (#43037939)

It's not a challenge-response system at all. The website (and I assume the plugin as well) will generate a long hash value based on the website name and a different personal password. That long hash can be used as the password on a website, so if the website's breached, the user's short password is protected. It's not about maintaining the security of that particular account (which is a moot point if the server's been thoroughly hacked), but rather letting the user have one password to remember easily for all sites, without opening them up to the vulnerabilities of password reuse [xkcd.com] .

Re:Hashes not enough either (1)

scorp1us (235526) | about a year and a half ago | (#43038533)

Correct!

Also, this XKCD [xkcd.com] applies as well.

Re:Hashes not enough either (1)

fulldecent (598482) | about a year and a half ago | (#43037133)

FYI challenge-response systems do not require storing the plaintext password

Re:Hashes not enough either (1)

TomJetland (2576173) | about a year ago | (#43041427)

Does a challenge-response system appear as part of the spec for html, or implemented by common web toolkits? So many websites sound as if they are rolling their own login system which simply hides the password typed in and that's it! Do Amazon, eBay or gmail use a challenge/response system?!

Re:Hashes not enough either (1)

Todd Knarr (15451) | about a year ago | (#43047467)

Can you point to one that uses a random nonce to insure that responses can't be recorded and reused and can't be predicted before the actual transaction, and that use a process where the hashed form of the password can't simply be treated as the password itself?

Re:Hashes not enough either (0)

Anonymous Coward | about a year and a half ago | (#43039759)

If only we had a tunable hashing algorithm, which we
could make stronger over time as attacks get better ...

Posting anonymous to protect myself (0)

Anonymous Coward | about a year and a half ago | (#43035217)

It is not only illegal, but dangerous. About 10 years ago a disgruntled Taxation employee used unencrypted taxation information to mail letter bombs to people he felt had "done him wrong". My mother was meant to receive one of these bombs!

This information should be encrypted by default.

Re:Posting anonymous to protect myself (1)

abigsmurf (919188) | about a year and a half ago | (#43036555)

People actually need to work with tax data, it has to be decrypt-able by tax office staff otherwise what's the point in it?

T-Mobile does it too (1)

Abalamahalamatandra (639919) | about a year and a half ago | (#43035261)

Or they did as of not very long ago at all - I had to recover my password on their site, and just about fell out of my chair when, instead of sending me a recovery link, they emailed me my current password.

Nowadays that password is a KeePass-generated random one.

How many had 'password' as their password? (1)

darkonc (47285) | about a year and a half ago | (#43035319)

I once got access to the unencrypted password file for a widely used site. It was rather disturbing -- and not just because the passwords were unencrypted ("It's fur customer service purposes!"). Literally 10% of the users had 'password' as their password.

I guess that it wasn't quite as bad as the network service provider that had 'password' as the password through their firewall.. I mean, why even have the thing, to begin with?

Google is almost as bad (0)

Anonymous Coward | about a year and a half ago | (#43035727)

If you use Google's enterprise tools for synchronizing account credentials, your best option is to send them SHA1 hashes. Not salted SHA1 hashes, just SHA1. For a company with the computational resources Google has, that's almost the same as handing over plain text, unless the passwords are exceptionally strong.

Storing PWs in Plaintext Is Okay (0)

Anonymous Coward | about a year and a half ago | (#43035937)

LOL no who even codes this shit.

Hashing is not always the best solution (2)

abigsmurf (919188) | about a year and a half ago | (#43036525)

The information in your tax account is probably far more damaging than just your password and that is stored in plain text. If you don't trust them with your password, why the hell do you trust them with all that other information?

Tax offices usually have to deal with a wide variety of enquiries, some of which may not be done over the phone. Passwords/secret phrases can be a nightmare over the phone, especially for someone non-technical, having plain text passwords allows you to verify that a granny who says "21 primrose hill" is their password when it's stored as "21 Primrose-hill".

My bank (Barclays) doesn't use encrypted passwords, they use the "say the 8th and 6th letters of your password" system plus chip + pin to verify you. As they're a high priority target for phising, key logging and MITM, it is actually far safer to do this then force the entire password the whole time.

TLDR: password hashing is an (easy) additional layer of security but it comes with its own drawbacks, isn't the be-all and end-all to security and isn't needed if security measures are strong enough.

BCrypt or SHACrypt256/SHACrypt512 (1)

jonabbey (2498) | about a year and a half ago | (#43037207)

The OP is right that there's no point in using a high speed naked hash algorithm, but BCrypt isn't the only good alternative.

There's also SHACrypt-256 and SHACrypt-512 [akkadia.org] , which have been supported in GNU LibC since October 2007.

Wikipedia has a pretty thorough discussion [wikipedia.org] of the various password hash routines that are in use on Unix/Linux systems, for that matter.

SRP (1)

Stormy Dragon (800799) | about a year and a half ago | (#43038931)

The Secure Remote Password protocol has been out for more than a decade now. Sites shouldn't even be storing hashed/salted passwords by this point. They should never even have possession of the actual password on the server side.

It's a third party not the ATO (1)

thedarknite (1031380) | about a year and a half ago | (#43039955)

A separate company that is managing a Publication Ordering Service for the Tax Office is storing passwords in plain text. I had to help set up access to the ATO portal at my last job and it requires installing company specific certificates per user or to be running a specific security application which, requires installing company specific certificates, the for the login screen to even show up

Re:It's a third party not the ATO (1)

SJ2000 (1128057) | about a year ago | (#43044111)

That's right, summary is completely false.

The system is run externally by the warehouse and separately to the ATO," a spokesperson told SC....It is unable to access taxpayer information or their details. There are no financial or bank account details stored on POS.

A case of not reading the article, it's blatant FUD.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...