back to article GCHQ attempts to downplay amazing plaintext password blunder

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …


This topic is closed for new posts.


  1. Michael H.F. Wilkinson Silver badge

    The sound you hear

    is that of crypto-experts past (Alan Turing included) spinning in their graves

    Hilarious blunder, especially coming from GCHQ

    1. LarsG

      Re: The sound you hear

      Is the smile appearing on my face and the subdued background noise of laughter.

      Rodney you......Plonker!

    2. Rampant Spaniel

      Re: The sound you hear

      It's a bloody good job they aren't in charge of anything important then!

    3. robin48gx

      Re: The sound you hear

      Its probably like the archer cartoons in there

    4. Your Opinion Matters

      Re: The sound you hear

      You guys have missed the obvious.

      They ARE storing salted encrypted passwords.

      But they have broken public key cryptography and not told us, dun dun dun!!!!

      They accidentally decrypted your password to send back to you.

  2. Anonymous Coward
    Anonymous Coward

    Sadly common in UK Gov

    Helped my brother-in-law to register on the Landlord Registration central online system for Scotland. Asks for a password, try one, sorry not long enough (and no, it was not "mypenis"). Try another, sorry must have numbers and both upper and lower case characters. Try a third to meet those security aspects and its is happy.

    Then I get an email, absolutely unencrypted as you would expect, with both user name and password!

    SECURITY FAIL! (to borrow from Eadon, but here it seems justified as being AC I can't use the icon)

    1. tirk

      Re: Sadly common in UK Gov

      The financial system of one of my (large, public sector, UK) clients I use to manage the purchase orders they place with my company requires a password. Helpfully it informs me that it must be "at least 1 character(s) long". I have pointed this out, several times, over several months....

      1. Allan George Dyer
        Paris Hilton

        Re: Sadly common in UK Gov

        Perhaps they think you're complaining because you want to use a shorter password?

        1. tirk

          Re: Sadly common in UK Gov

          Ah, I forgot - when I first used it it complained that my 10 character password was too long (maximum was 8). They did at least fix that....

  3. kbb

    Banks too?

    I've written my PIN down before in amongst a lot of other numbers to disguise it, and then forgotten which 4 digits were the right ones, so I contacted the bank to let them know I'd forgotten it. They sent me a "here is your PIN" letter and it had the same PIN (the digits were in my note). So they must be storing PINs in plain text too.

    1. Stuart Moore

      Re: Banks too?

      To be fair, you've only got 10,000 combinations there, and any salting etc. could be broken trivially.

      1. Anonymous Coward
        Anonymous Coward

        Re: Banks too?

        Well, to a third party the salted passwords might be difficult but since the bank knows the mechanism for the salt and there are less than 10000 combinations, excluding non available combinations means they could brute force their own hashes very quickly. A test script I just ran which generated 9999 salted passwords and tests every single one vs the salted and hashed known value, generating the full 9999 for each test only took 90 seconds on a single core machine... of course in a real one you'll break out far earlier but you can really say if password usage was evenly distributed throughout the range an average on an ageing single core machine is 45 seconds... I suspect a bank can have that done in under a tenth of the time.

        1. Yossarian

          Re: Banks too?

          Banks use Hardware Security Modules (HSMs) to hold PINs which are heavily protected beasts.

          Without physical access it's pretty much impossible to get anything out of them and then they normally have a myriad of access detection sensors which delete the memory if you try anything (I've tried kicking one, it got upset and deleted everything)

          I wouldn't worry about these normally but I recently found that BarclayCard will display your PIN on the web site if you ask, that sounds very silly to me.

          1. Daniel B.

            Re: Banks too?

            Heh. Yup, HSMs give the really awesome protection of having the private/secret key never leave the HSM, so barring someone physically stealing the HSM, the stuff encrypted by it is safe.

            OTOH, if someone were to have direct access to the HSM *and* the config info to use it... Oopsie! (Hopefully, they're running it at FIPS 140-2 Level 3...)

    2. Aqua Marina

      Re: Banks too?

      I think my bank (Yorkshire) stores it's secret answers in non-encrypted format. The answers used to be case sensitive, then one day they ceased to be so. I used their internal ticketing to ask why the change. The answer was that too many people were forgetting case sensitivity so they turned it off. What worries me is the fact that I didn't have to change my password when they did this, and the fact that now I can WrITe My SecRET AnsWERS in ANY caSE I liKe tells me they arn't encrypted, and probably neither are the passwords.

      1. Aqua Marina

        Re: Banks too?

        * I mean I didn't have to change any of my secret answers, not password.

      2. Adrian Bool

        Re: Banks too?

        Could still be hashed. When they made this change they could have taken your first successful login and then re-wrote a hash of a lower case version into their database; then from then on they just set your input to lower case before hashing it and doing the compare...

  4. John G Imrie

    I think it's been outsourced

    Netcraft says the following

    Netblock owner IP address OS Web server Last changed

    Rackspace Cloud IP Space Windows Server 2008 Microsoft-IIS/7.5 8-Jul-2012

    1. Anonymous Coward
      Anonymous Coward

      Re: I think it's been outsourced

      Well at least it's using a fairly secure OS.

  5. Anonymous Coward
    Anonymous Coward

    "The current applicant tracking system used by GCHQ is a legacy system ..."

    A feeble excuse, and all the more feeble because they have been in the business of specifying best practice in security matters for a long, long time - far longer than they've been using this 'legacy' system, I'd wager.

    I have a lot of respect for GCHQ, but they really do need to work on their public interface.

  6. Cliff

    What does the Reg do?

    Are our passwords here stored in clear text?

    1. This post has been deleted by its author

    2. Dom 3

      Re: What does the Reg do?

      El Reg certainly *used* to email out plain text password reminders!

  7. Inventor of the Marmite Laser Silver badge


    Pass the salt!

  8. Nigel Sedgwick

    Which problem is The Problem?

    Should GCHQ want to recruit people who 'forget' their passwords?

    Best regards

    1. Dr. Mouse

      Re: Which problem is The Problem?

      "Should GCHQ want to recruit people who 'forget' their passwords?"

      Everyone forgets their password from time to time. Or locks out their account. Or....

      Just because a person is one of the best cryptanalysts in the world doesn't mean they don't have a memory like a sieve.

      However, for an intelligence agency to be storing passwords in plain text is inexcusable. Even on a peripheral system. It doesn't matter whether they are sending out plain-text password reminders, as such. It is that they are storing them insecurely. Which is bad. Very bad.

    2. Anonymous Coward
      Anonymous Coward

      Re: Which problem is The Problem?

      Actually, when I'm asked to create an online account somewhere I routinely test their password retrieval/resetting procedure as a means to gauge their website security (before creating my real account of course!).

      IMHO it's a good litmus test

      1. Field Marshal Von Krakenfart

        Re: Which problem is The Problem?

        I usually try ${drop table all;} as a password,

        I'm just waiting for the day

        1. Uncle Slacky Silver badge

          Re: Which problem is The Problem?

          Wait until Little Bobby Tables makes an application...

          1. Matt 21

            Re: Which problem is The Problem?

            The biggest secret they've got is that they haven't got any secrets.

      2. Scott 62

        Re: Which problem is The Problem?

        your autism is showing.

    3. amanfromMars 1 Silver badge

      Re: Which problem is The Problem? ..... Posted Wednesday 27th March 2013 09:29 GMT by Nigel Sedgwick

      Should GCHQ want to recruit people who 'forget' their passwords? Best regards .... Nigel Sedgewick

      The sort of folk that GCHQ and Spookery need, are the sort of folk who recruit GCHQ and Spookery for their needs and feeds and seeds.

      Best Regards .... and more anon as ProgramMING Programming proceeds.

      Sincerely Yours,

      GCHQ ICEnterprises

      Is problem folk for problemed folk the right SMARTR answer which delivers change you can see in presentations rather that just hope and false dawns you are pimped to believe in and blindly support in ignorant servitude, which appears to be status quo establishment fare and their pathetic vapourware?

      Answers in an email to ....... well, if it be to any status quo establishment systems it may as well be to Mars for all the good that they can provide, is what you will find to be too true to ignore as other than a fact which is hidden behind fictions and spinning tales of non daring do nothing creativity and mayhem.

  9. All names Taken
    Paris Hilton

    No news here. Move on please ...

    Okay so another publicly funded body makes a bit of a booboo.

    1. Corinne

      Re: No news here. Move on please ...

      But it isn't just "another publicly funded body", it's GCHQ who are responsible for national security issues. There's a big difference between a government department who deals with e.g. agriculture, and one that deals with intellegence data & spying.

      1. Wzrd1 Silver badge

        Re: No news here. Move on please ...

        "'s GCHQ who are responsible for national security issues."

        Except that the site in question has precisely zip in any form of national security information on it. It only has harmless information, such as your name, address, telephone number, all registration numbers, friends names and addresses, relatives names and addresses, etc.

        Totally innocuous information. From a national security standpoint. ;)

        Seriously though, at least all of the national security information is on its own segregated network.

        Trying to remember the name for it now. The US starts with NIPRnet, SIPRnet and JWICS.

        Ah, I remember now! BBCnet.

  10. Tom 38

    Farrall only got round to blogging about the issue this week, two months after the offending email.

    Presumably after not getting the gig.

  11. alain williams Silver badge

    Maybe it is part of the selection test

    If you complain about the poor security then it helps to show GCHQ that you have some clue and thus worth considering for employment.

    I wish, but I suspect that I am wrong.

  12. Callam McMillan

    I once did an application for a similar type of organisation. There was a very clear warning at the beginning. If you got the password wrong three times, your account would be locked out. And there was no password recovery option. That's how you do proper security, and weed out applicants who can't remember a password.

    1. Paul 5

      Surely that is how you train people to write down their password?

    2. davtom

      You use it to weed out humans then?

      1. Will Godfrey Silver badge

        That's it. I need a break from the 'puter. I just read that as:

        "You use it for weed"

    3. Pookietoo

      re: That's how you do proper security

      Actually that's a failure to manage security effectively: people are given access to secure systems because they need it in order to do their jobs - a user locked out is a job not done.

  13. Anonymous Coward
    Anonymous Coward

    was it yesterday?

    that some bloke in the comments said that no intelligence agency would keep the list and details of their agents on a machine connected to the computer, no way, cause like, they're too smart to stumble for such an obvious risk? Well, he severely underestimated the power of the human mind!

    1. Anonymous Coward
      Thumb Up

      Re: was it yesterday?

      Yupp, it was in the article about an outed Mossad agent list, and people were convinced that these "pros" would never make mistakes like that. Well, when I see people convinced that something can never happen, I just see people lacking in life experience.

    2. JimmyPage Silver badge
      Thumb Up

      Re: was it yesterday?


      And I was the one who said that if you believe that you need to step away from the internet.

  14. Anonymous Coward
    Anonymous Coward

    You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass. I had only been working there for a few months so he didn't know my face either. We also often swapped ID badges to see if it would be spotted. This was at the Oakley site perhaps Benhall was different.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      I presume he saw you leave, and logged your security badge pulsing the gate back in.

      Maybe he thought you were simply showing your 'lunch' as an explanation to where you've been, then probably shaking his head after you've gone passed.

      GCHQ's just a couple of miles from me, maybe I'll get a pizza, and try my luck getting through the gate with a cheesy smile, a red peaked cap and a little wave of the pizza box! OK, maybe I won't - 'tis a boring place.

    3. peter 45
      Black Helicopters

      More stories from back in the day

      More ID card stories from colleagues.

      1. Driving onto site and realised ID card was in the boot. Waved a piece of toast at guard and waved onto site.

      2. Pasted a picture of a gorilla onto ID card. Took it off a week later 'cos no-one had challenged it.

      Hi to all at T42. Hope you are still whipping up a storm.

  15. peter 45

    They want everything

    "Names, dates, family members, passport numbers, housing information". Not just that.

    If this is used to provide information for security vetting, it is basically everything needed for complete identity theft.

    Full names addresses and dates of birth for all family members back to Grandparents including Maiden names. All addresses for the last 10 years. All schooling and all past employers. All bank account and investment details. About the only thing they do not ask for is the Dog's name.

    Tell me how many places ask Security questions based on this information. Then tell me how serious this isn't?


This topic is closed for new posts.

Other stories you might like