When a prospective job applicant forgot his password for GCHQ, one of the UK’s top national security agencies, he was shocked to get a plain text reminder of it. He has since blogged about the password security experience, including how his emails to the agency alerting them to the problems have gone unanswered.
Dan Farrall submitted a password reminder request through GCHQ’s website, and received an email with the password in plain text, along with clarification that the username is the email address used. Farrall sent the recruitment officer an email pointing out the security flaw in having plain text password reminders. After two months had still not received any reply, and the GCHQ website was still sending plain text passwords out.
Farrall and others have pointed out the potential risk of having plain text passwords for sites where data such as names, addresses, and even passport information may be transmitted. When companies store passwords in plain text, they risk customer data being stolen and easily used.
Plain text password storage can be a big problem for companies and individuals, with the risk being similar to having every password written out on paper.
One way of preventing password theft as a user is to properly destroy anything with your password on it. This includes shredding sensitive documents and computer data. Assured Security Shredding can make this an easy process with regular collection services.
Image in this post from danfarrall.com