There was a public outcry followed by ICO “making enquiries” when Troy Hunt published a post about Tesco’s plaintext password reminders exactly a month ago.
I wanted to use the reference for a text I was writing last week when someone asked me about online accounts of Companies House. At that moment I said to myself, wait a second. Companies House sends plaintext reminders as well. How strange. I sent a link to a short post to ComputerWorld. They in turn managed to get a statement from Companies House that includes:
“… although it is [Companies House] certified to the ISO 27001 standard and adheres to the government’s Security Policy Framework, it will carry out a review of its systems in order to establish whether there is a threat to companies’ confidential information.”
It is good to hear that an ISO27001 certification exists. However, that requires companies to manage their systems properly and that all the documentation is in place. It would not necessarily take the quality of the system implementation into account.
The Companies House password system is a bit more complicated as you need two passwords. A personal password is sent by post to your company registered address and a company password that is emailed. But still:
- Neither of the passwords is sent encrypted.
- When you look at headers of reminder emails they suggest use of an open source SMTP Perl plugin that may suggest in-house implementation.
- The statement from Companies House does not suggest use of encryption of cryptographic hardware.
My fear is that if there were ever a successful attempt to compromise the Companies House web, there is a good chance that attackers would just dump a database with all the passwords in plain text and disappear without leaving a trace.
Personally, I am not that much worried about someone looking into my online shoppings with Tesco but having my company’s information open to unauthorised changes and non-public information leaked makes me a little bit nervous.