back to article GCHQ attempts to downplay amazing plaintext password blunder

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …


This topic is closed for new posts.


  1. Dodgy Geezer Silver badge

    ...But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards....

    Aha - I think I see the problem here.

    WHAT 'absolutely critical national-security information' have we got?

    We used to have a lot, when we ran half the world, and had a military that was equal to/better than the US. Those were the days when our position needed to be considered amongst the world's powers. Now, however, we are not really part of the game any more.

    Perhaps someone might be thinking of attacking us, and needs some information on our defences? The Falklands showed how any real information passing through the intelligence system soon got ignored if it didn't conform to pre-determined government policy. At the moment we could be considered as 'under economic attack' from the Chinese. And what are we doing about it? Stuffing our own economy with green taxes in an attempt to de-industrialise.

    We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't...

  2. This post has been deleted by its author

  3. batfastad


    Amateurs? Or an amazing honeypot?

    It's probably not an in-house package but there must be some bods at GCHQ who do the security auditing of code, right?

  4. batfastad

    The ones to worry about

    The sites to worry about are those that enforce a low max length (<20 chars) and disallow special characters. If it's being hashed/crypted properly then the maximum length and any special characters are irrelevant.

    Rather than that stupid cookie law crap how about a law requiring sites to display their password storage procedures with big fines for not telling the truth (proper big fines, not the stuff the ICO hand out at the moment for data breaches). It won't prevent idiots being in control of a computer and developing rubbish software though unfortunately.

    Do we know what careers software this is and who the developers are?

  5. Vladimir Plouzhnikov

    It's all old news

    I saw a documentary on this a few month back. Spies IDs list stolen, sky fell etc etc. There was one agent, he sorted it all out in the end. I think his name was Bomb or Bond or something...

    1. PhilBuk

      Re: It's all old news

      Nah, it was Ethan Hunt.


  6. Benchops

    This is no blunder

    They're distracting attention away from something else!!

  7. Anonymous Coward
    Anonymous Coward

    Upgraded my broadband service with my ISP - which is a big UK one. Gobsmacked to receive a confirmation email which included my existing password in plain text. As it was one I had set myself a while ago then they obviously store them in an unsafe way.

  8. 0perat0r

    "Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't." On the basis that they know their own keys/salts:

  9. This post has been deleted by its author

  10. Mr Spock

    Pay peanuts, get monkeys.

    This is the same GCHQ that couldn't understand why hardcore tech gurus weren't flocking to work for them for £25,000 a year. Hardly surprising they can't employ someone with a clue about password security, then.

  11. Anonymous Coward


    That is all.....

  12. Al Jones

    Password Retrieval vs Password Reset

    If the concern is that passwords are sent in e-mail that can be intercepted, then password reset links are just as vulnerable..

    If the concern is that hacker can get access to a plaintext list of usernames and passwords on the website, then they've probably already gotten access to the far more valuable personal information that has been uploaded to the website.

    GCHQ should do better, but if you're worried that someone might get access to data on their webserver, and your concern is that you used the same password for GCHQ as you used for your Amazon account, then I think you're missing the forest for the trees!

  13. PhilBuk
    Thumb Down

    Patronising Twats

    Love the patronising bit in the reply, "This comes with clear instructions of how to protect their data."

    It's not them that that should be protecting the data - it's your job!


  14. Paul Hovnanian Silver badge

    Plaintext storage

    Nothing new here. Back in the day when I worked for a major US defense contractor, we had a 90 day password change requirement for their IT access control system. The change rules were quite onerous and woe to anyone who just tried to roll from 'password01' to 'password02'. Changes deemed 'too simple' were rejected.

    My best guess is that they stored passwords in plaintext and tested changes against the old version*. Compromised systems were par for the course at this outfit.

    *Easy work around: The validation algorithm could only look at the present password, so it was a simple matter of remembering two different ones and switching back and forth every three months.

  15. Mike 16
    Paris Hilton

    Password reset?

    You might want to check with the lady above left about how secure such systems are.

    Anybody who cares can probably find all the answers to a typical company's "security questions" for any person who even has a presence on the Internet. (My first use of the Paris icon, but then, you don't have Ms Palin)

  16. Anonymous Coward
    Anonymous Coward

    perfect cover

    When Mossad agents mysteriously materialise in a Mediterranean hotel and casually top a high ranking Palestinian they don't like the look of, the fake passports they use will need some quality details. What better way of obtaining the data for such a project from their obliging chums at GCHQ, all easily bind-alleyed by blaming a legacy contractor?

    After the man in a suitcase clusterfuck, I wouldn't put any kind of Machiavellian weirdness past our erstwhile black helicopter drivers.

  17. Joe Montana


    What's strange is that GCHQ put a website online available to the public without it being pentested first, usually government sites must be tested by a company that's a part of the government pentest scheme (operated by CESG). Either that, or whoever tested the site missed something so ridiculous?

    Incidentally, while storing plaintext passwords is generally regarded as a bad thing, every windows system does exactly this - stores plaintext passwords in memory as well as letting you authenticate using the hash itself (ie the hash becomes plaintext equivalent). If anyone else did something so stupid their products would be banned, but ms gets a free pass.

  18. JaitcH

    GCHQ, another Mad MAY operation

    Seems like the all time ministrial loser of all time, Mad MAY, is failing again.

    I wonder what part of her extensive purview actually functions? And she wants the ability to bug the whole of the UK?

    1. amanfromMars 1 Silver badge

      Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

      ..... or is that a MkUltraSensitive and Secret Intelligence Service Virtualised, Phormed and Established and Never Ever .... well, Hardly Ever unless Need to Know Requires IT, .... to be Officially Recognised and Touted like some Sort of Spooky First Class Upper Class Pro Hooker?

      We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't… …. Dodgy Geezer Posted Wednesday 27th March 2013 10:51 GMT

      And, Dodgy Geezer, as any DODGI Cyber Systems Warrior/AIMODified Virtual Pioneer worth the wearing of the moniker knows, one cannot successfully defend unless one knows how to win win with attacks, and whenever one knows how to win win with attacks, is defense not nearly as attractive and exciting and lucrative as successful Anonymous Almighty Attacks ….. AAAssaults?

      Which is and has been, and will be most probably always continue to be, in a System of Primitive Primary Protocols, something of an Abiding Enigma which Exercises IntelAIgent Community Enterprises with Exploitation and Advancement through Zeroday Vulnerabilities and Systemic Program Weaknesses …… which are always controlled by failing humans and thus always an Open Source Window and PerlyGatesPython Door ajar for stealthy virile trojan entry into the sweet sticky core that drivers their follies and foibles/passions and vices/sins and dreams.

      Who Dares and All That, in All of That, Win Wins and Always Loses FailSafe. ….. Capiche?!.

      Comprendez, GCHQ/MI5/MI6/CESG/OCSIA …… or does IT need to be spelled out in words of a few syllables for y'all, to more easily understand that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use ……. although surely, even the slowest and dimmest of wits in such fields as are tilled here would accept that which has just been said, as that which quite adequately describes that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use.

      And I think all of that, Dodgy Geezer, is something worth spending defence money on ..... and exporting to any who have need of cyber defence which can successfully attack with AAAssaults ...... and the multi-billion dollar question is ..... Whose defence money/Which currency will lead, for any and all have equal attraction and value in the great scheme of things.

      1. amanfromMars 1 Silver badge

        Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

        Oh, and you might want to know, for one might need to know, that all of the above is quite important to understand and be able to act with impunity upon/with, as the money control system which is hacked and in crisis and cracked and collapsing, and some would even say, already collapsed and just twitching in its death throes, and which is used to enslave the ignorant masses to the whims of the arrogant few, battles in vain to render flash cash a thing of the past and a cold war relic which will be able to purchase nothing of value in bulk, secretly.

        Good luck with that operation, but one has to admit, it does appear to be more of a crazy desperate notion rather than anything better and spectacularly good, and there are so many ways in which one can purchase whatever one needs for whatever someone else wants.

        Long live free enterprise on the open market place and in the virtual commercial space.

        1. Anonymous Coward

          Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

          I hate to be the one to break it to you but I'm pretty sure most of us do what I do.

          That is instantly realise it's you posting and don't bother to read on. I say this because you clearly expend a lot of effort on your posts here. Sometimes it's amusing to attempt to decipher your "thoughts". Mainly it's not. Start a blog. Or request a soft tipped pen and paper next time they come in with your medication.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

            You... do know you're replying to a bot, right?

          2. amanfromMars 1 Silver badge

            Re: Responsible Cyber Defence Services in Live Operational Virtual Environments

            Very droll, DijitulSupport, but there is nothing new there to report and everything by Registered post is already logged and displayed wwworld-wide for peer review, which I suppose would be quite similar to it being blogged too.

            And many times, which can be most times, can a great deal more be clearly revealed and learned whenever something which one would have expected a response to, is not replied to, and in such cases is there the added bonus that one is not spending and/or wasting time in sharing the obvious with those who maybe more interested in one not racing on ahead without their being given instruction on what, because they know not what to do on their own to maintain their position and sustain the status quo.

            And if you really do do what you do, do you miss all the good bits that you need to understand and accept to be better equipped to deal with what the future has in store for humanity. And you will only have yourself to blame and beat up over it.

  19. Anonymous Coward
    Anonymous Coward

    He won't get a job there

    When registering he agreed the the T&Cs, one of which sates that he'll tell no one about his communications with them. How do I know? Oh bugger, quick, tick the "Post anonymously" box...

  20. M7S

    you're all missing the point about this "insecurity" - its a financial issue.

    It saves on the cost of the writeable optical media with personal information on personnel that they'd otherwise have to leave on a train.

    It just shows they're doing their bit for Britain in cutting back public expenditure.....

    Actually on reflection I'm not sure about the icon.


This topic is closed for new posts.

Other stories you might like