14 DAY TRIAL // The recent data breaches have shown that there are still a large number of organizations that fail to properly encrypt user passwords before storing them in a database.
However, when we learn that a major government agency is storing passwords in plain text, we can’t help but think that our efforts to keep our personal information safe are in vain.
A perfect example is the one highlighted by Dan Farrall, a student from the United Kingdom, who has found that the UK Government Communications Headquarters (GCHQ) is storing passwords in plain text.
Farrall noticed the lack of even basic passwords security measures when analyzing a job application on the organization’s website.
Since he already had an account on the site, but couldn’t remember the password, he used the “forgot my password” feature to recover it.
The email he received from GCHQ didn’t contain a link to a page that would allow him to set a new password. Instead, it contained the password in clear text, which means that this is how the intelligence agency stores the information in its databases.
“Not really sure how we can trust somebody like that to protect us, when they are still doing stupid things like this,” Farrall noted in a blog post.
“For those that don’t think this matters, bear in mind the type of information your submitting to these online applications. Names, dates, family members information, passport numbers, housing information. With this type of information identity theft is a major concern,” he added.
The issue was reported to GCHQ at the end of January but, according to the student, the security hole was still present a couple of days ago when he decided to make his findings public.
We’ve sent a request for comment to GCHQ and we’ll update the article in case they respond.
Update. GCHQ representatives have responded to our inquiry.
“The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it,” a GCHQ spokesperson said.
“Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.”