Australian Tax Office Stores Passwords In Clear Text 84
mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."
Storing plaintext passwords should be illegal (Score:4, Insightful)
Storing passwords in readable text is a bad idea for a lot of reasons
It needs to be more than a bad idea: it needs to be illegal, and people or organizations that betray their users' trust, need to pay a price for their negligence.
But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt [wikipedia.org] or SHA-256. [wikipedia.org] When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.
It SHOULD be illegal (Score:3, Insightful)
Re:Storing plaintext passwords should be illegal (Score:4, Insightful)
Yeah, because what we really need in IT are more compliance checklists
Yes, we do, because it's abundantly clear that there are lots of IT organizations that can't meet the basic requirements of doing the job properly.
and more lawyers
Yes, to deal with the cases where IT organizations skimp or lie about meeting the requirements.
and more absolute rules
Yes, so they know when they're in compliance and when they aren't. For example, a rule that "No password may be stored in clear text." is quite absolute, and also appears to be quite necessary.
If it weren't a financial system that everyone in Australia is required by law to use, I'd be fine with the standards being looser, because then the damage would be less.
Hashes not enough either (Score:4, Insightful)
Unfortunately, as has been demonstrated recently, hashed passwords don't protect very well against attacks either if the intruder gets access to the stored passwords themselves. Faster and cheaper hardware combined with cheap storage have allowed attacks on hashed passwords that would've been infeasible only a few years ago. And hashed passwords on the back-end mean that cleartext passwords almost have to be passed over the wire where they're vulnerable to interception not just by things snooping network traffic but by malware that's inserted itself into the network stack on either end.
And most importantly, storing passwords in the clear makes it perfectly clear that they are vulnerable to any compromise that gives an intruder access to the stored passwords. Having them hashed gives a false sense of security and the opening to argue that compromises don't have to be disclosed because the passwords are hashed and thus haven't really been compromised, even though the hash isn't going to really keep the passwords from being compromised.
I much prefer a system that segregates passwords onto a dedicated authentication service that runs on a machine that's walled off and isolated from even the production machines except for the small hole needed for access to the authentication service (which should be written, at least the input and input-parsing portions, by professional paranoids). Then store passwords on it in the clear if needed so you can use challenge-response authentication methods that avoid needing to transmit the password itself between the client and your systems. That way your efforts to protect the passwords can be concentrated on that authentication server with it's relatively small exposed area, rather than on your entire system with it's large exposure to attacks.