Australian Tax Office Stores Passwords In Clear Text 84
mask.of.sanity writes "The passwords of thousands of Australian businesses are being stored in clear readable text by the country's tax office. Storing passwords in readable text is a bad idea for a lot of reasons: they could be read by staff with ill intent, or, in the event of a data breach, could be tested against other web service accounts to further compromise users. In the case of the tax office, the clear text passwords accessed a subsection of the site. But many users would have reused them to access the main tax submission services. If attackers gained access to those areas, they would have access to the personal, financial and taxpayer information of almost every working Australian. Admins should use a strong hash like bcrypt to minimize or prevent password exposure. Users should never reuse passwords for important accounts."
Re:Storing plaintext passwords should be illegal (Score:5, Interesting)
But if web developers aren't even hashing up their password db's, who's to say they'll be competent enough to employ SSL?
Why people reuse passwords. (Score:2, Interesting)
Re:Storing plaintext passwords should be illegal (Score:5, Interesting)
The problem is, I am very leery of having those who are not knowledgable pass rules on technical matters, even if the correct rule would be absolutely helpful, because they are likely to pass *almost* the correct rule. I can see this very easily changed from "you cannot have cleartext passwords" to "you must have encrypted passwords" by the time it gets passed.
"Where are your encrypted passwords?"
"We use PKI keys, we don't have *any* passwords"
"So you don't have any encrypted passwords?"
"No, we don't need them."
"Off to jail with you, then."
Re:Storing plaintext passwords should be illegal (Score:4, Interesting)
That's not the point. I do not believe it is appropriate to develop software without a revision-control system in place, but I've seen people do it. I do not, however, advocate a law to require people do basic obvious stuff like that.
There are several reasons, but the foremost is probably that ill-informed people (technical and non-technical) tend to mistake "going through the motions" for "doing it right." That is, checklists promote a cargo cult [wikipedia.org] approach to security.
Compliance != good design, and indeed compliance is only a subset of good design when the requirements are perfect.