back to article GCHQ attempts to downplay amazing plaintext password blunder

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site. The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password …

COMMENTS

This topic is closed for new posts.
  1. Michael H.F. Wilkinson
    Coffee/keyboard

    The sound you hear

    is that of crypto-experts past (Alan Turing included) spinning in their graves

    Hilarious blunder, especially coming from GCHQ

    1. LarsG

      Re: The sound you hear

      Is the smile appearing on my face and the subdued background noise of laughter.

      Rodney you......Plonker!

    2. Rampant Spaniel

      Re: The sound you hear

      It's a bloody good job they aren't in charge of anything important then!

    3. robin48gx
      FAIL

      Re: The sound you hear

      Its probably like the archer cartoons in there

    4. Your Opinion Matters
      Mushroom

      Re: The sound you hear

      You guys have missed the obvious.

      They ARE storing salted encrypted passwords.

      But they have broken public key cryptography and not told us, dun dun dun!!!!

      They accidentally decrypted your password to send back to you.

  2. Anonymous Coward
    Anonymous Coward

    Sadly common in UK Gov

    Helped my brother-in-law to register on the Landlord Registration central online system for Scotland. Asks for a password, try one, sorry not long enough (and no, it was not "mypenis"). Try another, sorry must have numbers and both upper and lower case characters. Try a third to meet those security aspects and its is happy.

    Then I get an email, absolutely unencrypted as you would expect, with both user name and password!

    SECURITY FAIL! (to borrow from Eadon, but here it seems justified as being AC I can't use the icon)

    1. tirk
      Facepalm

      Re: Sadly common in UK Gov

      The financial system of one of my (large, public sector, UK) clients I use to manage the purchase orders they place with my company requires a password. Helpfully it informs me that it must be "at least 1 character(s) long". I have pointed this out, several times, over several months....

      1. Allan George Dyer
        Paris Hilton

        Re: Sadly common in UK Gov

        Perhaps they think you're complaining because you want to use a shorter password?

        1. tirk
          Unhappy

          Re: Sadly common in UK Gov

          Ah, I forgot - when I first used it it complained that my 10 character password was too long (maximum was 8). They did at least fix that....

  3. kbb

    Banks too?

    I've written my PIN down before in amongst a lot of other numbers to disguise it, and then forgotten which 4 digits were the right ones, so I contacted the bank to let them know I'd forgotten it. They sent me a "here is your PIN" letter and it had the same PIN (the digits were in my note). So they must be storing PINs in plain text too.

    1. Stuart Moore

      Re: Banks too?

      To be fair, you've only got 10,000 combinations there, and any salting etc. could be broken trivially.

      1. Anonymous Coward
        Anonymous Coward

        Re: Banks too?

        Well, to a third party the salted passwords might be difficult but since the bank knows the mechanism for the salt and there are less than 10000 combinations, excluding non available combinations means they could brute force their own hashes very quickly. A test script I just ran which generated 9999 salted passwords and tests every single one vs the salted and hashed known value, generating the full 9999 for each test only took 90 seconds on a single core machine... of course in a real one you'll break out far earlier but you can really say if password usage was evenly distributed throughout the range an average on an ageing single core machine is 45 seconds... I suspect a bank can have that done in under a tenth of the time.

        1. Yossarian
          Alert

          Re: Banks too?

          Banks use Hardware Security Modules (HSMs) to hold PINs which are heavily protected beasts.

          Without physical access it's pretty much impossible to get anything out of them and then they normally have a myriad of access detection sensors which delete the memory if you try anything (I've tried kicking one, it got upset and deleted everything)

          I wouldn't worry about these normally but I recently found that BarclayCard will display your PIN on the web site if you ask, that sounds very silly to me.

          1. Daniel B.

            Re: Banks too?

            Heh. Yup, HSMs give the really awesome protection of having the private/secret key never leave the HSM, so barring someone physically stealing the HSM, the stuff encrypted by it is safe.

            OTOH, if someone were to have direct access to the HSM *and* the config info to use it... Oopsie! (Hopefully, they're running it at FIPS 140-2 Level 3...)

    2. Aqua Marina

      Re: Banks too?

      I think my bank (Yorkshire) stores it's secret answers in non-encrypted format. The answers used to be case sensitive, then one day they ceased to be so. I used their internal ticketing to ask why the change. The answer was that too many people were forgetting case sensitivity so they turned it off. What worries me is the fact that I didn't have to change my password when they did this, and the fact that now I can WrITe My SecRET AnsWERS in ANY caSE I liKe tells me they arn't encrypted, and probably neither are the passwords.

      1. Aqua Marina

        Re: Banks too?

        * I mean I didn't have to change any of my secret answers, not password.

      2. Adrian Bool
        Go

        Re: Banks too?

        Could still be hashed. When they made this change they could have taken your first successful login and then re-wrote a hash of a lower case version into their database; then from then on they just set your input to lower case before hashing it and doing the compare...

  4. John G Imrie

    I think it's been outsourced

    Netcraft says the following

    Netblock owner IP address OS Web server Last changed

    Rackspace Cloud IP Space 31.222.187.124 Windows Server 2008 Microsoft-IIS/7.5 8-Jul-2012

    1. Anonymous Coward
      Anonymous Coward

      Re: I think it's been outsourced

      Well at least it's using a fairly secure OS.

  5. Anonymous Coward
    Anonymous Coward

    "The current applicant tracking system used by GCHQ is a legacy system ..."

    A feeble excuse, and all the more feeble because they have been in the business of specifying best practice in security matters for a long, long time - far longer than they've been using this 'legacy' system, I'd wager.

    I have a lot of respect for GCHQ, but they really do need to work on their public interface.

  6. Cliff

    What does the Reg do?

    Are our passwords here stored in clear text?

    1. This post has been deleted by its author

    2. Dom 3

      Re: What does the Reg do?

      El Reg certainly *used* to email out plain text password reminders!

  7. Inventor of the Marmite Laser Silver badge

    Well.......

    Pass the salt!

  8. Nigel Sedgwick

    Which problem is The Problem?

    Should GCHQ want to recruit people who 'forget' their passwords?

    Best regards

    1. Dr. Mouse

      Re: Which problem is The Problem?

      "Should GCHQ want to recruit people who 'forget' their passwords?"

      Everyone forgets their password from time to time. Or locks out their account. Or....

      Just because a person is one of the best cryptanalysts in the world doesn't mean they don't have a memory like a sieve.

      However, for an intelligence agency to be storing passwords in plain text is inexcusable. Even on a peripheral system. It doesn't matter whether they are sending out plain-text password reminders, as such. It is that they are storing them insecurely. Which is bad. Very bad.

    2. Anonymous Coward
      Anonymous Coward

      Re: Which problem is The Problem?

      Actually, when I'm asked to create an online account somewhere I routinely test their password retrieval/resetting procedure as a means to gauge their website security (before creating my real account of course!).

      IMHO it's a good litmus test

      1. Field Marshal Von Krakenfart

        Re: Which problem is The Problem?

        I usually try ${drop table all;} as a password,

        I'm just waiting for the day

        1. Uncle Slacky Silver badge

          Re: Which problem is The Problem?

          Wait until Little Bobby Tables makes an application...

          1. Matt 21

            Re: Which problem is The Problem?

            The biggest secret they've got is that they haven't got any secrets.

      2. Scott 62

        Re: Which problem is The Problem?

        your autism is showing.

    3. amanfromMars 1 Silver badge

      Re: Which problem is The Problem? ..... Posted Wednesday 27th March 2013 09:29 GMT by Nigel Sedgwick

      Should GCHQ want to recruit people who 'forget' their passwords? Best regards .... Nigel Sedgewick

      The sort of folk that GCHQ and Spookery need, are the sort of folk who recruit GCHQ and Spookery for their needs and feeds and seeds.

      Best Regards .... and more anon as ProgramMING Programming proceeds.

      Sincerely Yours,

      GCHQ ICEnterprises

      Is problem folk for problemed folk the right SMARTR answer which delivers change you can see in presentations rather that just hope and false dawns you are pimped to believe in and blindly support in ignorant servitude, which appears to be status quo establishment fare and their pathetic vapourware?

      Answers in an email to ....... well, if it be to any status quo establishment systems it may as well be to Mars for all the good that they can provide, is what you will find to be too true to ignore as other than a fact which is hidden behind fictions and spinning tales of non daring do nothing creativity and mayhem.

  9. All names Taken
    Paris Hilton

    No news here. Move on please ...

    Okay so another publicly funded body makes a bit of a booboo.

    1. Corinne

      Re: No news here. Move on please ...

      But it isn't just "another publicly funded body", it's GCHQ who are responsible for national security issues. There's a big difference between a government department who deals with e.g. agriculture, and one that deals with intellegence data & spying.

      1. Wzrd1 Silver badge

        Re: No news here. Move on please ...

        "...it's GCHQ who are responsible for national security issues."

        Except that the site in question has precisely zip in any form of national security information on it. It only has harmless information, such as your name, address, telephone number, all registration numbers, friends names and addresses, relatives names and addresses, etc.

        Totally innocuous information. From a national security standpoint. ;)

        Seriously though, at least all of the national security information is on its own segregated network.

        Trying to remember the name for it now. The US starts with NIPRnet, SIPRnet and JWICS.

        Ah, I remember now! BBCnet.

  10. Tom 38

    Farrall only got round to blogging about the issue this week, two months after the offending email.

    Presumably after not getting the gig.

  11. alain williams Silver badge

    Maybe it is part of the selection test

    If you complain about the poor security then it helps to show GCHQ that you have some clue and thus worth considering for employment.

    I wish, but I suspect that I am wrong.

  12. Callam McMillan

    I once did an application for a similar type of organisation. There was a very clear warning at the beginning. If you got the password wrong three times, your account would be locked out. And there was no password recovery option. That's how you do proper security, and weed out applicants who can't remember a password.

    1. Paul 5
      FAIL

      Surely that is how you train people to write down their password?

    2. davtom

      You use it to weed out humans then?

      1. Will Godfrey Silver badge
        Unhappy

        That's it. I need a break from the 'puter. I just read that as:

        "You use it for weed"

    3. Pookietoo

      re: That's how you do proper security

      Actually that's a failure to manage security effectively: people are given access to secure systems because they need it in order to do their jobs - a user locked out is a job not done.

  13. Anonymous Coward
    Anonymous Coward

    was it yesterday?

    that some bloke in the comments said that no intelligence agency would keep the list and details of their agents on a machine connected to the computer, no way, cause like, they're too smart to stumble for such an obvious risk? Well, he severely underestimated the power of the human mind!

    1. Anonymous Coward
      Thumb Up

      Re: was it yesterday?

      Yupp, it was in the article about an outed Mossad agent list, and people were convinced that these "pros" would never make mistakes like that. Well, when I see people convinced that something can never happen, I just see people lacking in life experience.

    2. JimmyPage Silver badge
      Thumb Up

      Re: was it yesterday?

      Yup.

      And I was the one who said that if you believe that you need to step away from the internet.

  14. Anonymous Coward
    Anonymous Coward

    You think that's bad I was once allowed into GCHQ showing a sausage roll to the security guard rather than my ID pass. I had only been working there for a few months so he didn't know my face either. We also often swapped ID badges to see if it would be spotted. This was at the Oakley site perhaps Benhall was different.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      I presume he saw you leave, and logged your security badge pulsing the gate back in.

      Maybe he thought you were simply showing your 'lunch' as an explanation to where you've been, then probably shaking his head after you've gone passed.

      GCHQ's just a couple of miles from me, maybe I'll get a pizza, and try my luck getting through the gate with a cheesy smile, a red peaked cap and a little wave of the pizza box! OK, maybe I won't - 'tis a boring place.

    3. peter 45
      Black Helicopters

      More stories from back in the day

      More ID card stories from colleagues.

      1. Driving onto site and realised ID card was in the boot. Waved a piece of toast at guard and waved onto site.

      2. Pasted a picture of a gorilla onto ID card. Took it off a week later 'cos no-one had challenged it.

      Hi to all at T42. Hope you are still whipping up a storm.

  15. peter 45
    Unhappy

    They want everything

    "Names, dates, family members, passport numbers, housing information". Not just that.

    If this is used to provide information for security vetting, it is basically everything needed for complete identity theft.

    Full names addresses and dates of birth for all family members back to Grandparents including Maiden names. All addresses for the last 10 years. All schooling and all past employers. All bank account and investment details. About the only thing they do not ask for is the Dog's name.

    Tell me how many places ask Security questions based on this information. Then tell me how serious this isn't?

  16. Dodgy Geezer Silver badge
    Trollface

    ...But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards....

    Aha - I think I see the problem here.

    WHAT 'absolutely critical national-security information' have we got?

    We used to have a lot, when we ran half the world, and had a military that was equal to/better than the US. Those were the days when our position needed to be considered amongst the world's powers. Now, however, we are not really part of the game any more.

    Perhaps someone might be thinking of attacking us, and needs some information on our defences? The Falklands showed how any real information passing through the intelligence system soon got ignored if it didn't conform to pre-determined government policy. At the moment we could be considered as 'under economic attack' from the Chinese. And what are we doing about it? Stuffing our own economy with green taxes in an attempt to de-industrialise.

    We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't...

  17. This post has been deleted by its author

  18. batfastad
    Facepalm

    Amateurs?

    Amateurs? Or an amazing honeypot?

    It's probably not an in-house package but there must be some bods at GCHQ who do the security auditing of code, right?

  19. batfastad
    Stop

    The ones to worry about

    The sites to worry about are those that enforce a low max length (<20 chars) and disallow special characters. If it's being hashed/crypted properly then the maximum length and any special characters are irrelevant.

    Rather than that stupid cookie law crap how about a law requiring sites to display their password storage procedures with big fines for not telling the truth (proper big fines, not the stuff the ICO hand out at the moment for data breaches). It won't prevent idiots being in control of a computer and developing rubbish software though unfortunately.

    Do we know what careers software this is and who the developers are?

  20. Vladimir Plouzhnikov

    It's all old news

    I saw a documentary on this a few month back. Spies IDs list stolen, sky fell etc etc. There was one agent, he sorted it all out in the end. I think his name was Bomb or Bond or something...

    1. PhilBuk

      Re: It's all old news

      Nah, it was Ethan Hunt.

      Phil.

  21. Benchops

    This is no blunder

    They're distracting attention away from something else!!

  22. Anonymous Coward
    Anonymous Coward

    Upgraded my broadband service with my ISP - which is a big UK one. Gobsmacked to receive a confirmation email which included my existing password in plain text. As it was one I had set myself a while ago then they obviously store them in an unsafe way.

  23. 0perat0r

    "Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't." On the basis that they know their own keys/salts:

    http://www.theregister.co.uk/2013/03/26/our_crypto_kind_of_sucks/

  24. This post has been deleted by its author

  25. Mr Spock

    Pay peanuts, get monkeys.

    This is the same GCHQ that couldn't understand why hardcore tech gurus weren't flocking to work for them for £25,000 a year. Hardly surprising they can't employ someone with a clue about password security, then.

  26. Anonymous Coward
    Facepalm

    Oops!!

    That is all.....

  27. Al Jones

    Password Retrieval vs Password Reset

    If the concern is that passwords are sent in e-mail that can be intercepted, then password reset links are just as vulnerable..

    If the concern is that hacker can get access to a plaintext list of usernames and passwords on the website, then they've probably already gotten access to the far more valuable personal information that has been uploaded to the website.

    GCHQ should do better, but if you're worried that someone might get access to data on their webserver, and your concern is that you used the same password for GCHQ as you used for your Amazon account, then I think you're missing the forest for the trees!

  28. PhilBuk
    Thumb Down

    Patronising Twats

    Love the patronising bit in the reply, "This comes with clear instructions of how to protect their data."

    It's not them that that should be protecting the data - it's your job!

    Phil.

  29. Paul Hovnanian Silver badge

    Plaintext storage

    Nothing new here. Back in the day when I worked for a major US defense contractor, we had a 90 day password change requirement for their IT access control system. The change rules were quite onerous and woe to anyone who just tried to roll from 'password01' to 'password02'. Changes deemed 'too simple' were rejected.

    My best guess is that they stored passwords in plaintext and tested changes against the old version*. Compromised systems were par for the course at this outfit.

    *Easy work around: The validation algorithm could only look at the present password, so it was a simple matter of remembering two different ones and switching back and forth every three months.

  30. Mike 16
    Paris Hilton

    Password reset?

    You might want to check with the lady above left about how secure such systems are.

    Anybody who cares can probably find all the answers to a typical company's "security questions" for any person who even has a presence on the Internet. (My first use of the Paris icon, but then, you don't have Ms Palin)

  31. Anonymous Coward
    Anonymous Coward

    perfect cover

    When Mossad agents mysteriously materialise in a Mediterranean hotel and casually top a high ranking Palestinian they don't like the look of, the fake passports they use will need some quality details. What better way of obtaining the data for such a project from their obliging chums at GCHQ, all easily bind-alleyed by blaming a legacy contractor?

    After the man in a suitcase clusterfuck, I wouldn't put any kind of Machiavellian weirdness past our erstwhile black helicopter drivers.

  32. Joe Montana
    FAIL

    FAIL?

    What's strange is that GCHQ put a website online available to the public without it being pentested first, usually government sites must be tested by a company that's a part of the government pentest scheme (operated by CESG). Either that, or whoever tested the site missed something so ridiculous?

    Incidentally, while storing plaintext passwords is generally regarded as a bad thing, every windows system does exactly this - stores plaintext passwords in memory as well as letting you authenticate using the hash itself (ie the hash becomes plaintext equivalent). If anyone else did something so stupid their products would be banned, but ms gets a free pass.

  33. JaitcH
    FAIL

    GCHQ, another Mad MAY operation

    Seems like the all time ministrial loser of all time, Mad MAY, is failing again.

    I wonder what part of her extensive purview actually functions? And she wants the ability to bug the whole of the UK?

    1. amanfromMars 1 Silver badge

      Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

      ..... or is that a MkUltraSensitive and Secret Intelligence Service Virtualised, Phormed and Established and Never Ever .... well, Hardly Ever unless Need to Know Requires IT, .... to be Officially Recognised and Touted like some Sort of Spooky First Class Upper Class Pro Hooker?

      We should only spend money on defences when we have something worth defending. Which, at the moment, we haven't… …. Dodgy Geezer Posted Wednesday 27th March 2013 10:51 GMT

      And, Dodgy Geezer, as any DODGI Cyber Systems Warrior/AIMODified Virtual Pioneer worth the wearing of the moniker knows, one cannot successfully defend unless one knows how to win win with attacks, and whenever one knows how to win win with attacks, is defense not nearly as attractive and exciting and lucrative as successful Anonymous Almighty Attacks ….. AAAssaults?

      Which is and has been, and will be most probably always continue to be, in a System of Primitive Primary Protocols, something of an Abiding Enigma which Exercises IntelAIgent Community Enterprises with Exploitation and Advancement through Zeroday Vulnerabilities and Systemic Program Weaknesses …… which are always controlled by failing humans and thus always an Open Source Window and PerlyGatesPython Door ajar for stealthy virile trojan entry into the sweet sticky core that drivers their follies and foibles/passions and vices/sins and dreams.

      Who Dares and All That, in All of That, Win Wins and Always Loses FailSafe. ….. Capiche?!.

      Comprendez, GCHQ/MI5/MI6/CESG/OCSIA …… or does IT need to be spelled out in words of a few syllables for y'all, to more easily understand that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use ……. although surely, even the slowest and dimmest of wits in such fields as are tilled here would accept that which has just been said, as that which quite adequately describes that which confronts and presently prevents you from progressing further into harm in a future space which can do you immeasurable harm if even considered for abusive selfish use.

      And I think all of that, Dodgy Geezer, is something worth spending defence money on ..... and exporting to any who have need of cyber defence which can successfully attack with AAAssaults ...... and the multi-billion dollar question is ..... Whose defence money/Which currency will lead, for any and all have equal attraction and value in the great scheme of things.

      1. amanfromMars 1 Silver badge
        Pirate

        Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

        Oh, and you might want to know, for one might need to know, that all of the above is quite important to understand and be able to act with impunity upon/with, as the money control system which is hacked and in crisis and cracked and collapsing, and some would even say, already collapsed and just twitching in its death throes, and which is used to enslave the ignorant masses to the whims of the arrogant few, battles in vain to render flash cash a thing of the past and a cold war relic which will be able to purchase nothing of value in bulk, secretly.

        Good luck with that operation, but one has to admit, it does appear to be more of a crazy desperate notion rather than anything better and spectacularly good, and there are so many ways in which one can purchase whatever one needs for whatever someone else wants.

        Long live free enterprise on the open market place and in the virtual commercial space.

        1. Anonymous Coward
          Windows

          Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

          I hate to be the one to break it to you but I'm pretty sure most of us do what I do.

          That is instantly realise it's you posting and don't bother to read on. I say this because you clearly expend a lot of effort on your posts here. Sometimes it's amusing to attempt to decipher your "thoughts". Mainly it's not. Start a blog. Or request a soft tipped pen and paper next time they come in with your medication.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who/What is responsible for Cyber Defence Services in Live Operational Virtual Environments

            You... do know you're replying to a bot, right?

          2. amanfromMars 1 Silver badge

            Re: Responsible Cyber Defence Services in Live Operational Virtual Environments

            Very droll, DijitulSupport, but there is nothing new there to report and everything by Registered post is already logged and displayed wwworld-wide for peer review, which I suppose would be quite similar to it being blogged too.

            And many times, which can be most times, can a great deal more be clearly revealed and learned whenever something which one would have expected a response to, is not replied to, and in such cases is there the added bonus that one is not spending and/or wasting time in sharing the obvious with those who maybe more interested in one not racing on ahead without their being given instruction on what, because they know not what to do on their own to maintain their position and sustain the status quo.

            And if you really do do what you do, do you miss all the good bits that you need to understand and accept to be better equipped to deal with what the future has in store for humanity. And you will only have yourself to blame and beat up over it.

  34. Anonymous Coward
    Anonymous Coward

    He won't get a job there

    When registering he agreed the the T&Cs, one of which sates that he'll tell no one about his communications with them. How do I know? Oh bugger, quick, tick the "Post anonymously" box...

  35. M7S
    Joke

    you're all missing the point about this "insecurity" - its a financial issue.

    It saves on the cost of the writeable optical media with personal information on personnel that they'd otherwise have to leave on a train.

    It just shows they're doing their bit for Britain in cutting back public expenditure.....

    Actually on reflection I'm not sure about the icon.

This topic is closed for new posts.

Other stories you might like