
GCHQ – Not So Secure? - sdoering
http://danfarrall.com/gchq/
======
jgrahamc
This is just GCHQ's way of saying that they already know how to reverse
bcrypt.

On a more serious note <http://www.gchq-careers.co.uk> does not appear to be
run by GCHQ. The Terms page says that it's run by TMP Worldwide
(<http://www.gchq-careers.co.uk/terms-and-conditions/>).

~~~
scoot
That doesn't make it any less egregious. GCHQ (of all organisations!) have
failed to carry out even a minimum standard of due diligence in selecting a
supplier that handles sensitive personal information of prospective employees.

~~~
jiggy2011
They have finite resources so there is an opportunity cost to everything.

More time auditing their public website means less time auditing military
systems etc.

------
jiggy2011
To be fair, I doubt that the GCHQ website is developed by the same people who
are doing cyber intelligence work or whatever it is they do.

More likely it was just developed by whichever company was picked off a list
of government contractors. I'm sure that whatever internal systems they have
are completely separate from the website.

GCHQ probably consider arguing with a contractor about the password hashing on
the jobs section of their website as a waste of their time.

------
trotsky
If you're reusing passwords on websites you care about your behavior is risky
no matter what hasing algorithm gets used or doesn't at some specific website.

If you're not reusing passwords it doesn't matter to you how they store your
password. If they have broken in far enough to dump the auth table they almost
inevitably can access your data stored there.

------
shanelja
<http://www.ucas.ac.uk/>

Another website which stores passwords in cleartext - just raising awareness.

 _We have received a reminder request for your login details.

Please use the details exactly as written below to access the UCAS Apply 2013
service:

Password: ThisWasMyClearTextPassword_

~~~
karma_fountain
It was a while before they even had password reset. I believe you had to ring
up. Think this will be fixed next year.

~~~
shanelja
I forgot my username, because they don't allow email address login, so I had
to recover my username, for this they required some kind of ID, but it wasn't
present in my emails, it took me a while to figure out there were _different
recovery pages for different types of accounts_ , so putting in my email just
returned "invalid email address".

Took me about 45 minutes just to recover my information, it's a terrible user
experience:

First off, requiring an uppercase letter, which I've never used, so I actually
now need to remember another, both lowercasepassword and Uppercasepassword,
then changing my username to something built out of my name and age, with
capitals in them, like FirstLast92, instead of just my email.

I hope I never have to use this website again.

~~~
Shish2k
> both lowercasepassword and Uppercasepassword

When I was applying to uni both of those would be invalid passwords too, as
they're more than 8 characters. I emailed them to complain, and was told that
this is to enforce easy-to-remember passwords, because they didn't want to
deal with the hassle of people asking for password resets...

~~~
ajanuary
The University of York have a similar length requirement. When I enquired
about it, I was told it was because some of the older systems have a maximum
length, and they keep your password the same everywhere.

------
CurtMonash
The argument that this matters holds water. If you can steal the identities of
all the applicants then, in particular, you can steal the identities of the
successful ones.

~~~
objclxt
GCHQ, along with various other agencies, out-source some of their recruitment,
mainly to sift. Perhaps you could steal the identities of the candidates who
had passed the initial few sifts...but I really doubt that things like
developed vetting status are going through this system.

~~~
hp50g
Nope - having been there as a contractor, it's still done on paper believe it
or not.

------
richardwhiuk
It's not obvious that they are storing them in plain text (they could easily
be encrypting them), but what they aren't doing is using a one way hash.

~~~
lucian1900
That doesn't really make it any better. If someone gets their database, they
almost certainly also have the key they hypothetically encrypted the passwords
with.

If they'd used pbkdf/bcrypt or even better, scrypt, this would be a non-issue.

~~~
buttscicles
I'm curious - what makes scrypt superior to bcrypt?

~~~
SoftwareMaven
The space-hard is important for people throwing 10000 GPU cores at the
problem. Bcrypt is more susceptible as it was designed before the million-core
world came about; scrypt will continue to thwart due to memory constraints.

------
ed_blackburn
Just highlights how the race to the bottom in terms of IT procurement in govt.
is arguably counter productive. Compare the cumbersome government procurement
process for knocking up simple websites like this when they could palm them
off to any number of small competent London tech companies.

Most of these things could just be pithy rails site that get thrown away after
every recruitment campaign.

------
ratherbefuddled
This is what happens when you let HR buy software without adult supervision.

------
gambiting
HMRC does not accept passwords with special characters, so it only shows that
these sites are run by incompetent IT departments....

~~~
bapbap
Outsourced to companies like Capgemini who deliver as little as they can get
away with

------
belorn
There exist a few cases where storing passwords in clear text is valid, but
this one isn't it.

Ask the question: Is the cost of giving the user a new generated password
higher than the risk averted by storing the password hashed.

If all you have is a login for a website, then the risk is clearly bigger than
any cost.

~~~
buttscicles
>There exist a few cases where storing passwords in clear text is valid, but
this one isn't it.

Name one.

~~~
fatjonny
I think there are some cases when storing passwords in clear text is valid.
One example:

A website has educational content. Teachers can sign up students in their
classrooms. The teacher's password is stored securely, the student's password
is not. The student password is shorter and automatically generated. The goal
is to make the password just hard enough to not be guessed by other students,
but not so hard that the student can't remember it. It is stored in clear text
so that the teacher can look it up for the student, or print out the password
to pass out to the student, etc. The student account is only given access to
the content. The worst thing that happens if a student's password is guessed
is that another student can mess up their progress tracking.

Is there a reason the student passwords should be encrypted in the database?

~~~
koenigdavidmj
All of those can be solved by password reset (perhaps by permission of the
teacher account, in this case, rather than entering personal information, as
password resets usually work).

~~~
fatjonny
Sure, teachers could reset the password. My point is that there is no reason
to. It is one extra step for teachers and gets rid of the benefit of having a
consistent password for the student.

------
JonnieCache
This is a big deal when you consider that, IIRC, GCHQ instructs you not to
tell anyone you've applied, and admitting that you've talked to others about
your candidacy can disqualify you from the job.

But perhaps I'm remembering a different intelligence agency's policy.

~~~
objclxt
No, that's true across all of the UK intelligence agencies (probably _all_
agencies worldwide, really). Depending on the role you'll probably have to go
through developed vetting, at which point your passwords are the least of your
worries...

------
ollybee
Official UK public transport site also does this
<http://www.transportdirect.info>

There is a site for naming and shaming plaintextoffenders.com

------
rpledge
Clearly they're actually storing them using very strong hashing techniques but
then using super secret technology from MI6 to reverse them if they get
forgotten.

~~~
DanBC
No no, that's back to front. GCHQ develop the super secret technologies and do
all the listening and decrypting.

MI6 uses that intelligence (as well as intelligence they've gathered
themselves).

MI6's "super secret technology" is a rubber hose in some friendly country with
no human rights laws.

------
DoubleMalt
I love how they strongly advise against writing down the password after
sending it in plain text over (possibly unencrypted) email.

------
walshemj
You know that these recruitment sites are run at arms length by a specialist
recruitment agency and not GCHQ its self.

Though it doesn't send out the right signals as a list of potential candidates
for GCHQ, The SS and SIS does have inteligence value to other actors

------
umsm
Cached version:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://danfarrall.com/gchq/)

------
shocks
I encountered this over a year ago. Shocking really.

------
dfarrall
Just had to upgrade my bandwidth for the views your bringing. Some interesting
comments here guys.

------
deanpcmad
Just because it was sent by email, doesn't mean they aren't encrypting
passwords. When the password is sent to their servers it's unencrypted anyway
so can be read and sent in an email. I do disagree with passwords being sent
by email though

~~~
strangestchild
I think the point is that storing even encrypted passwords is not as safe as
storing (salted) hashes, because if the database was compromised, the
encryption key would likely be compromised as well. It's safer if even the
site themselves do not know your password.

Technically, you are right to say that there's no evidence passwords are being
stored in plaintext, but encrypted stores really aren't any better.

------
martin_
509 - Bandwidth Limit Exceeded ... The power of HN!

------
largesse
Is there some checklist some place that can be used to beat people over the
head with the very basics of security for a user-facing site?

Sort of, "If your developers are doing this today, they are grossly
incompetent and you are putting your business and customers at risk."

~~~
reeses
The OWASP Top Ten is a good start and gets better each year.
[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

~~~
largesse
Thanks!

