Australian Tax Office Stores Passwords In Clear Text

mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."

Re:Storing plaintext passwords should be illegal

[Tarlus]

But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?

Why people reuse passwords.

[slackware 3.6]

Most of us have very busy lives and not enough time to remember long passwords especially long paswords with CAPS and numbers. It is quicker to sign up for a new gmail account than figure out that password you never used in a month. Now why don't people think of the poor abandoned email accounts tying up that username you really wanted? Now my bank and credit card pins came in the mail in plain text. Its not usually a problem. Why you ask? Because it is very illegal and you will spend a lot of time in jail. This attitude the the internet is a toy and the rules don't apply "cause yer l33t if you can break into someones computer or steal personal info" has to change. If you unlawfully access my computer or personal info you should go to jail just as if you were caught with your hand in my mailbox.

Re:Storing plaintext passwords should be illegal

[Chris Mattern]

The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.

"Where are your encrypted passwords?"
"We use PKI keys, we don't have *any* passwords"
"So you don't have any encrypted passwords?"
"No, we don't need them."
"Off to jail with you, then."

Re:Storing plaintext passwords should be illegal

[SirGarlon]

That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.

There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult [wikipedia.org] approach to security.

Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.