Your password, Bond: Insecure

It seems that British Intelligence's passwords are kept in plain text -- complete with username, all non-encrypted. Ergo, not so secure.

They've done what? SonyPictures/YouTube Screenshot by Chris Matyszczyk/CNET

Perhaps they're still mourning Judi Dench's death in "Skyfall."

Perhaps they're remembering the words uttered in that movie that there are no secrets anymore.

It seems, though, that in some corners of British intelligence, password protection needs a little, well, protection.

A gentleman called Dan Farrall was rather stunned, you see, when he applied for a job at the U.K.'s Government Communications Headquarters (GCHQ).

Among many other (secret) things, GCHQ exists to protect Kingdomites from cyberattacks. How odd, then, that it seems rather open about passwords.

Farrall, a university student, describes on his blog how he was considering a job at this secure establishment. He had visited the GCHQ site before, but couldn't remember his password.

So he entered his e-mail address into the "Forgot Your Password?" box.

Lo, he soon beheld his password. In plain text. Right there, for anyone to see looking over his shoulder. It was, indeed, complete with his username. No encryption. No attempt to veil the information.

This was in January. Farrall, clearly a concerned citizen, says he wrote to GCHQ, pointing out the marginal laxity of its systems. He has not, he says, heard back.

If you are one of those who believes that we are now living in an open, connected world, so why beef about privacy, Farrall has a message.

He writes: "For those that don't think this matters, bear in mind the type of information you're submitting to these online applications. Names, dates, family members' information, passport numbers, housing information. With this type of information identity theft is a major concern."

Our sister site ZDNet attempted to replicate Farrall's troubling discovery and found it to be just as he said.

So it contacted GCHQ, which answered by offering the private addresses of the heads of six nations' security services in exchange for Mark Zuckerberg's autograph.

I may have exaggerated that slightly. In fact, a GCHQ spokesman offered that "the current applicant-tracking system used by GCHQ is a legacy system."

It is, naturally, being replaced. However, ZDNet received the sense that GCHQ felt this wasn't a terribly big deal. Indeed, the government agency told ZDNet that the plain text information comes with a message on how to protect your data.

It's odd that at a time when hackers -- for personal or political gain -- are wandering around the Web leaking all sorts of what used to be known as "private" information, Britain's recondite services seem frightfully -- and publicly -- relaxed about the whole thing.

Perhaps we could get Ralph Nathaniel Twisleton Wykeham Fiennes -- the new M -- to give them a call and tell them it's bad for Bond's image. Or something.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

The Next Big Thing

Consoles go wide and far beyond gaming with power and realism.