"The Cabinet Office did not respond immediately to a request for comment."
Probably still trying to find someone who understands the question.
Users of the UK government’s data dashboard have been asked to change their passwords after their information was made public. According to an email seen by The Register, a file containing the names, emails and hashed passwords for the data.gov.uk site was left on a third-party system. “A recent routine security review …
Depends on the "compromise". Obviously if the database is lifted unencrypted in it's entirety: yes.
Otherwise it's just more work for anyone to break. And unless you are the victim of a very specific attack, hackers will just move on to the next account with re-used passwords.
Scuse ignorance but I'm endlessly confused by the plethora of different logins, current and historical, that I have for various HMG services. Is the "Dashboard" to which this refers connected in any way with the HMRC logins for company services, or the Land Registry site, or indeed the DVLA site? Or is it a separate, new thing that I haven't yet been forced to subscribe to?
I have no idea if I signed up to this site or not. At one point in about 2013 or 2014 I signed up for some government site after receiving details in a letter and on a little credit card sized piece of paper.
The reason for using it escapes me now but at the time it seemed like a central login for all government services but I may be wrong. I have no idea if it was connected to this site or not, yet alone what email address I used.
The other issue is so many gov IT projects get shelved, I don't know if it's still valid or not.
Any clues as to how this government data stuff works? Need sleep....
data.gov.uk is the place to go to get open data. It looks like they opened up their data on their users and made that freely available as well. It works in Estonia, where if anyone in government looks at your data, you get notified of who did and why.
Well done UK Gov for putting my tax money to such great use. So all the money you saved with going with a cheap consultancy you've now spunked up the wall on fixing the fallout from this insecure shite.
We're the all mighty cut-price, cockup artists "Crapita" involved by any chance?
I've just looked at this site (by its contents I'm unlikely to have registered) and the home screen says it's in still in beta! After more than two years! I used to work on CAD software and a beta that long would either be a pile of doodoo not fit for public display, or a cancelled project accidentally left on the system.
"GDS added that it "immediately took steps to remove this data from the public domain"."
Yes you took it down when someone pointed it out but how long has it been there and why was it there?
“There is no evidence of misuse of anyone’s credentials," the email said. "Resetting your password is purely a precautionary measure.”
Lack of evidence doesn't mean someone hasn't swiped the data.
I remember having to change my password for HMRC. Because they changed their password rules and a Safari generated password looking like ABC-DEF-123-456-XYZ is not acceptable anymore. They always wanted two digits so you had to generate a few passwords until it accepted one, but now it doesn't like the "-" characters anymore. They also changed the rules for existing passwords, so I couldn't log in with my password anymore, requiring a reset.
for an industry which prides itself on a selection of standards to fit the bill (literally) the continuing lack of a simple RFC on password construction baffles me.
We have one for valid email addresses (which I had to read twice to discover that "'" [apostrophe] *is* a valid character. Despite a lot of home-brewed code thinking it isn't).
So why not one for password ? Ideally permitted characters, minimum/maximum length, plus basic entropy rules.
That said, having done my share of working on RFCs in the 80s, I can understand the lack of enthusiasm.