Feeds

back to article GCHQ attempts to downplay amazing plaintext password blunder

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Coffee/keyboard

The sound you hear

is that of crypto-experts past (Alan Turing included) spinning in their graves

Hilarious blunder, especially coming from GCHQ

10
0
Silver badge

Re: The sound you hear

Is the smile appearing on my face and the subdued background noise of laughter.

Rodney you......Plonker!

2
0
Silver badge

Re: The sound you hear

It's a bloody good job they aren't in charge of anything important then!

2
0
FAIL

Re: The sound you hear

Its probably like the archer cartoons in there

0
0
Mushroom

Re: The sound you hear

You guys have missed the obvious.

They ARE storing salted encrypted passwords.

But they have broken public key cryptography and not told us, dun dun dun!!!!

They accidentally decrypted your password to send back to you.

0
0
Anonymous Coward

Sadly common in UK Gov

Helped my brother-in-law to register on the Landlord Registration central online system for Scotland. Asks for a password, try one, sorry not long enough (and no, it was not "mypenis"). Try another, sorry must have numbers and both upper and lower case characters. Try a third to meet those security aspects and its is happy.

Then I get an email, absolutely unencrypted as you would expect, with both user name and password!

SECURITY FAIL! (to borrow from Eadon, but here it seems justified as being AC I can't use the icon)

7
0
Facepalm

Re: Sadly common in UK Gov

The financial system of one of my (large, public sector, UK) clients I use to manage the purchase orders they place with my company requires a password. Helpfully it informs me that it must be "at least 1 character(s) long". I have pointed this out, several times, over several months....

3
0
Silver badge
Paris Hilton

Re: Sadly common in UK Gov

Perhaps they think you're complaining because you want to use a shorter password?

5
0
Unhappy

Re: Sadly common in UK Gov

Ah, I forgot - when I first used it it complained that my 10 character password was too long (maximum was 8). They did at least fix that....

0
0
kbb

Banks too?

I've written my PIN down before in amongst a lot of other numbers to disguise it, and then forgotten which 4 digits were the right ones, so I contacted the bank to let them know I'd forgotten it. They sent me a "here is your PIN" letter and it had the same PIN (the digits were in my note). So they must be storing PINs in plain text too.

3
0

Re: Banks too?

To be fair, you've only got 10,000 combinations there, and any salting etc. could be broken trivially.

2
1
Anonymous Coward

Re: Banks too?

Well, to a third party the salted passwords might be difficult but since the bank knows the mechanism for the salt and there are less than 10000 combinations, excluding non available combinations means they could brute force their own hashes very quickly. A test script I just ran which generated 9999 salted passwords and tests every single one vs the salted and hashed known value, generating the full 9999 for each test only took 90 seconds on a single core machine... of course in a real one you'll break out far earlier but you can really say if password usage was evenly distributed throughout the range an average on an ageing single core machine is 45 seconds... I suspect a bank can have that done in under a tenth of the time.

1
0
Alert

Re: Banks too?

Banks use Hardware Security Modules (HSMs) to hold PINs which are heavily protected beasts.

Without physical access it's pretty much impossible to get anything out of them and then they normally have a myriad of access detection sensors which delete the memory if you try anything (I've tried kicking one, it got upset and deleted everything)

I wouldn't worry about these normally but I recently found that BarclayCard will display your PIN on the web site if you ask, that sounds very silly to me.

3
0
Silver badge

Re: Banks too?

Heh. Yup, HSMs give the really awesome protection of having the private/secret key never leave the HSM, so barring someone physically stealing the HSM, the stuff encrypted by it is safe.

OTOH, if someone were to have direct access to the HSM *and* the config info to use it... Oopsie! (Hopefully, they're running it at FIPS 140-2 Level 3...)

1
0

Re: Banks too?

I think my bank (Yorkshire) stores it's secret answers in non-encrypted format. The answers used to be case sensitive, then one day they ceased to be so. I used their internal ticketing to ask why the change. The answer was that too many people were forgetting case sensitivity so they turned it off. What worries me is the fact that I didn't have to change my password when they did this, and the fact that now I can WrITe My SecRET AnsWERS in ANY caSE I liKe tells me they arn't encrypted, and probably neither are the passwords.

0
0

Re: Banks too?

* I mean I didn't have to change any of my secret answers, not password.

0
0
Go

Re: Banks too?

Could still be hashed. When they made this change they could have taken your first successful login and then re-wrote a hash of a lower case version into their database; then from then on they just set your input to lower case before hashing it and doing the compare...

0
0
Silver badge

I think it's been outsourced

Netcraft says the following

Netblock owner IP address OS Web server Last changed

Rackspace Cloud IP Space 31.222.187.124 Windows Server 2008 Microsoft-IIS/7.5 8-Jul-2012

0
0
Anonymous Coward

Re: I think it's been outsourced

Well at least it's using a fairly secure OS.

4
4
Silver badge

"The current applicant tracking system used by GCHQ is a legacy system ..."

A feeble excuse, and all the more feeble because they have been in the business of specifying best practice in security matters for a long, long time - far longer than they've been using this 'legacy' system, I'd wager.

I have a lot of respect for GCHQ, but they really do need to work on their public interface.

1
0
Silver badge

What does the Reg do?

Are our passwords here stored in clear text?

2
0
Bronze badge
Alert

Re: What does the Reg do?

And why isn't the site HTTPS when we're logged in? HTTPS isn't perfect, but it's the first line of defence against cookie-jacking.

2
0

Re: What does the Reg do?

El Reg certainly *used* to email out plain text password reminders!

1
0

Well.......

Pass the salt!

0
0

Which problem is The Problem?

Should GCHQ want to recruit people who 'forget' their passwords?

Best regards

1
0
Silver badge

Re: Which problem is The Problem?

"Should GCHQ want to recruit people who 'forget' their passwords?"

Everyone forgets their password from time to time. Or locks out their account. Or....

Just because a person is one of the best cryptanalysts in the world doesn't mean they don't have a memory like a sieve.

However, for an intelligence agency to be storing passwords in plain text is inexcusable. Even on a peripheral system. It doesn't matter whether they are sending out plain-text password reminders, as such. It is that they are storing them insecurely. Which is bad. Very bad.

5
0
Anonymous Coward

Re: Which problem is The Problem?

Actually, when I'm asked to create an online account somewhere I routinely test their password retrieval/resetting procedure as a means to gauge their website security (before creating my real account of course!).

IMHO it's a good litmus test

2
0
Silver badge

Re: Which problem is The Problem? ..... Posted Wednesday 27th March 2013 09:29 GMT by Nigel Sedgwick

Should GCHQ want to recruit people who 'forget' their passwords? Best regards .... Nigel Sedgewick

The sort of folk that GCHQ and Spookery need, are the sort of folk who recruit GCHQ and Spookery for their needs and feeds and seeds.

Best Regards .... and more anon as ProgramMING Programming proceeds.

Sincerely Yours,

GCHQ ICEnterprises

Is problem folk for problemed folk the right SMARTR answer which delivers change you can see in presentations rather that just hope and false dawns you are pimped to believe in and blindly support in ignorant servitude, which appears to be status quo establishment fare and their pathetic vapourware?

Answers in an email to ....... well, if it be to any status quo establishment systems it may as well be to Mars for all the good that they can provide, is what you will find to be too true to ignore as other than a fact which is hidden behind fictions and spinning tales of non daring do nothing creativity and mayhem.

0
0

Re: Which problem is The Problem?

I usually try ${drop table all;} as a password,

I'm just waiting for the day

4
1
Silver badge

Re: Which problem is The Problem?

Wait until Little Bobby Tables makes an application...

4
0
Bronze badge

Re: Which problem is The Problem?

The biggest secret they've got is that they haven't got any secrets.

0
0

Re: Which problem is The Problem?

your autism is showing.

0
4
Bronze badge
Paris Hilton

No news here. Move on please ...

Okay so another publicly funded body makes a bit of a booboo.

0
0

Re: No news here. Move on please ...

But it isn't just "another publicly funded body", it's GCHQ who are responsible for national security issues. There's a big difference between a government department who deals with e.g. agriculture, and one that deals with intellegence data & spying.

0
0
Bronze badge

Re: No news here. Move on please ...

"...it's GCHQ who are responsible for national security issues."

Except that the site in question has precisely zip in any form of national security information on it. It only has harmless information, such as your name, address, telephone number, all registration numbers, friends names and addresses, relatives names and addresses, etc.

Totally innocuous information. From a national security standpoint. ;)

Seriously though, at least all of the national security information is on its own segregated network.

Trying to remember the name for it now. The US starts with NIPRnet, SIPRnet and JWICS.

Ah, I remember now! BBCnet.

0
1
Silver badge

Farrall only got round to blogging about the issue this week, two months after the offending email.

Presumably after not getting the gig.

2
0
Silver badge

Maybe it is part of the selection test

If you complain about the poor security then it helps to show GCHQ that you have some clue and thus worth considering for employment.

I wish, but I suspect that I am wrong.

3
0

I once did an application for a similar type of organisation. There was a very clear warning at the beginning. If you got the password wrong three times, your account would be locked out. And there was no password recovery option. That's how you do proper security, and weed out applicants who can't remember a password.

2
2
FAIL

Surely that is how you train people to write down their password?

14
0

You use it to weed out humans then?

2
0
Silver badge
Unhappy

That's it. I need a break from the 'puter. I just read that as:

"You use it for weed"

0
0
Bronze badge

re: That's how you do proper security

Actually that's a failure to manage security effectively: people are given access to secure systems because they need it in order to do their jobs - a user locked out is a job not done.

0
0
Anonymous Coward

was it yesterday?

that some bloke in the comments said that no intelligence agency would keep the list and details of their agents on a machine connected to the computer, no way, cause like, they're too smart to stumble for such an obvious risk? Well, he severely underestimated the power of the human mind!

3
0
Thumb Up

Re: was it yesterday?

Yupp, it was in the article about an outed Mossad agent list, and people were convinced that these "pros" would never make mistakes like that. Well, when I see people convinced that something can never happen, I just see people lacking in life experience.

2
0
Silver badge
Thumb Up

Re: was it yesterday?

Yup.

And I was the one who said that if you believe that you need to step away from the internet.

1
0
Anonymous Coward

You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass. I had only been working there for a few months so he didn't know my face either. We also often swapped ID badges to see if it would be spotted. This was at the Oakley site perhaps Benhall was different.

1
0
Bronze badge
Happy

You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass.

You're asking for mockery there, suggesting your face looks like a sausage roll! Or did you show it to the guard as a bribe?

1
0
Anonymous Coward

I presume he saw you leave, and logged your security badge pulsing the gate back in.

Maybe he thought you were simply showing your 'lunch' as an explanation to where you've been, then probably shaking his head after you've gone passed.

GCHQ's just a couple of miles from me, maybe I'll get a pizza, and try my luck getting through the gate with a cheesy smile, a red peaked cap and a little wave of the pizza box! OK, maybe I won't - 'tis a boring place.

0
0
Black Helicopters

More stories from back in the day

More ID card stories from colleagues.

1. Driving onto site and realised ID card was in the boot. Waved a piece of toast at guard and waved onto site.

2. Pasted a picture of a gorilla onto ID card. Took it off a week later 'cos no-one had challenged it.

Hi to all at T42. Hope you are still whipping up a storm.

0
0
Unhappy

They want everything

"Names, dates, family members, passport numbers, housing information". Not just that.

If this is used to provide information for security vetting, it is basically everything needed for complete identity theft.

Full names addresses and dates of birth for all family members back to Grandparents including Maiden names. All addresses for the last 10 years. All schooling and all past employers. All bank account and investment details. About the only thing they do not ask for is the Dog's name.

Tell me how many places ask Security questions based on this information. Then tell me how serious this isn't?

2
1

Page:

This topic is closed for new posts.