Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site.
The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall only got round to blogging about the issue this week, two months after the offending email.
Incredibly the signals intelligence agency had done nothing in the weeks in-between to address such well understood security bad practice on its careers site.
Website passwords should be stored by organisations only as encrypted and salted hashes. And password reminders shouldn't be sent in unencrypted emails. Instead it's far better to apply a password reset procedure. Password retrieval isn't even possible where login credentials are stored only as encrypted and salted hashes, so it's evident that in this case they weren't.
Mistakes on these lines are all too commonplace. Plain Text Offenders, a site that aims to name and shame sites following such insecure practices, estimates 30 per cent of sites store plaintext passwords.
Last July supermarket giant Tesco was taken to task by software developer Troy Hunt over its storage of users passwords in plain text and plain text password reminders.
So plaintext passwords are commonplace, and in some cases may not be that big a deal. But GCHQ - whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards.
GCHQ's career site is, of course, not part of its core mission and might even be run by a third-party agency but that's a weak excuse for not setting the best possible example in the case of such an agency. Apart from anything else, it is likely to seriously put off recruits of the calibre and security savvy the agency needs.
In response to queries from El Reg, GCHQ supplied a statement acknowledging and downplaying the issue, which it ascribes to a legacy system it's in the process of changing anyway.
The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.
Plaintext password reminders are a problem not just because emails can be intercepted. Unless login credentials are stored as encrypted AND salted hashes then any breach on servers is liable to allow hackers to recover user passwords. Storing login credentials as hashes alone isn't good enough because they are still vulnerable to brute-force (try every probable combination) attacks using readily available rainbow tables and other password-cracking tools. Insecure backups pose the same type of risk.
Hacktivists like Anonymous and LulzSec have shown an appetite for nobbling secondary websites run on behalf of national-security and police organisations like GCHQ, before leaking the data. They care little about collateral damage to individuals whose private details have been exposed - which might in this case include people who go on to become GCHQ personnel and could then be targeted by anyone from hacktivists all the way up to hostile human-intelligence agencies.
And, as Farrall points out, the potential harm that can come if anyone nobbled GCHQ's career site is far worse than might normally be the case because applicants are expected to submit a great deal of private information for use in security vetting.
"For those that don’t think this matters, bear in mind the type of information you're submitting," he write. "Names, dates, family members, passport numbers, housing information. With this type of information identity theft is a major concern."
Quite apart from the privacy issues it's a real eye opener that GCHQ is not taking greater care of the personal details of people who may one day go on to become the UK government's penetration testers. ®