Plaintext Password Reminders

There was a public outcry followed by ICO “making enquiries” when Troy Hunt published a post about Tesco’s plaintext password reminders exactly a month ago.

I wanted to use the reference for a text I was writing last week when someone asked me about online accounts of Companies House. At that moment I said to myself, wait a second. Companies House sends plaintext reminders as well. How strange. I sent a link to a short post to ComputerWorld. They in turn managed to get a statement from Companies House that includes:

“… although it is [Companies House] certified to the ISO 27001 standard and adheres to the government’s Security Policy Framework, it will carry out a review of its systems in order to establish whether there is a threat to companies’ confidential information.”

It is good to hear that an ISO27001 certification exists. However, that requires companies to manage their systems properly and that all the documentation is in place. It would not necessarily take the quality of the system implementation into account.

The Companies House password system is a bit more complicated as you need two passwords. A personal password is sent by post to your company registered address and a company password that is emailed. But still:

  1. Neither of the passwords is sent encrypted.
  2. When you look at headers of reminder emails they suggest use of an open source SMTP Perl plugin that may suggest in-house implementation.
  3. The statement from Companies House does not suggest use of encryption of cryptographic hardware.

My fear is that if there were ever a successful attempt to compromise the Companies House web, there is a good chance that attackers would just dump a database with all the passwords in plain text and disappear without leaving a trace.

Personally, I am not that much worried about someone looking into my online shoppings with Tesco but having my company’s information open to unauthorised changes and non-public information leaked makes me a little bit nervous.

About Dan Cvrcek

I got my PhD and associate professorship from Brno University of Technology. I was a post-doctoral researcher at the Computer Lab in 2003-2004 and 2007-2008 (almost 3 years combined). I then thought it might be worth having a look at the real world and joined Deloitte. I analysed payment systems, card issuance system, key management in Barclays, Barclaycard, and some more banks. Myself, Petr Svenda and David Gudjonsson founded Enigma Bridge in 2015 - we built a cloud encryption service based on secure hardware.

7 thoughts on “Plaintext Password Reminders

  1. Typical mentality I’m afraid. I’m sounding off.

    ISO 27001, PCI, CESG etc Certified, is tick box exercise in some companies, masking the underlying frailties in management thinking and communication. There is a lot of snobbery in some circles around technical knowledge, and involving the right (or correct) abilities in projects to ensure plain-text or simple problems like this never get on-line. Or risks are accepted and “that will never happen to us” etc excuses. I know none of the facts of course, pure speculation, but it smells of the typical arrogance and ignorance of said mentality.

    For example, a simple traceroute from the executives/civil servant/service provider key partner laptop, would open their eyes (with appropriate explanation) to where information in the clear travels, anyone of the IP address is storing, forwarding information (and whatever else is in between), or our plain text password in this case.

    For the amount of “enhanced” security to prevent identity theft on the Companies House Website, this is ironic. Having said that these types of issues are sure to increase with the cut-back mentality that prevails….

    I waffle one. Disgruntled, but honest.

  2. Given that everything that can be done on the company house website could be done by sending in paper forms with no real checks made, I don’t think the risk has increased. However I wish they would use the government gateway, so I did not have to have yet another password.

    I can’t recall if they prompted me to change the password at any point of the registration process. It is a real pain of a website to remember the passwords for, as I have to log in once a year.

    1. There are some differences between electronic access and posting printed and signed forms. I think they can be grouped around two aspects:
      a. existence of physical evidence that can be used in possible disputes; and
      b. use of electronic access to automate unauthorised access to the system.

      Particular issues would include:
      1. sending printed documents is fairly difficult to automate;
      2. if there is a dispute, signatures can be verified; and
      3. it is not possible to anonymously obtain private information from Companies House using Royal Mail but easy with a stolen password.

  3. Just wish to say your article is as astonishing.
    The clearness in your post is just excellent and i could assume
    you are an expert on this subject. Fine with your permission allow me to grab your
    feed to keep updated with forthcoming post. Thanks a million and please continue the enjoyable work.

Leave a Reply

Your email address will not be published. Required fields are marked *