The ATO stores passwords in plain text. I know this because they emailed me my password after I forgot it. Storing passwords in plain text is straight up bad security, a threat to Australian residents who are required by law to interact with the ATO, and easily avoided. When I complained, they appeared ignorant of the problem; in fact, they gave a hilariously misinformed justification of why their process is acceptable, managing to miss the point entirely.
The ATO Publications Ordering Service (POS) is the service you need to use to get paper copies of various tax forms. Many individuals won’t need to interact with it (you don’t need it for e-tax) but if you file a tax return for a company or trust, this is where you get the forms. You’re directed to the POS from the ATO’s website. For some reason it doesn’t have a .gov.au domain, but it does bear our government’s name, coat of arms, and copyright assertion. It’s apparently run from “commercial web hosting facilities”.
The POS requires creation of an account before you can order documents, authenticated by an email address and a password. I forgot my password, entered my email address into the password recovery form, and was shocked to receive this email:
The two blanked-out pieces of content are the email address I was using and my password.
In order to be able to send me this email, the POS must store my password in plain text, or at best with reversible encryption and associated keys.
Why storing plain-text passwords is bad?
Storing plain-text passwords is bad because storing a password makes it possible for someone to access it. Who? I certainly don’t know for sure, but people who might have some opportunity to access these passwords include POS technical staff, the contractor/s who developed this POS, administrators of the system on which the POS runs, and administrators at the commercial hosting provider. And, of course, attackers who might attempt to gain unauthorised access to such a gold mine, perhaps through someone who already has access. And anyone who gains access to or intercepts a password recovery email, sent unencrypted over the public Internet to an unfortunate POS user.
Storing plain-text passwords is unnecessary. For decades now, the only acceptable means of storing a password has been to store a hash of the password, not the original password. A hash is the result of a simple mathematical operation over a string of characters. As an over-simplified example, for a password comprising only letters, you could map each letter of the alphabet to a number (A -> 1, B -> 2, etc), then add all the numbers up to a single total, which you store. When a user attempts to log in, you perform the same arithmetic on the password that they provide, and if the totals match, you let them log in. You don’t need to compare the password they provide with the original password, and if some malicious agent does gain access to the stored hashes, seeing that my password hash is, say, 193, doesn’t reveal the original password. (Note: modern hashing algorithms are much more sophisticated, and the chance of finding a password that produces the same hash value as the original is near enough to zero).
Again, hashing has been the only acceptable means of password storage for decades. Hashing alone still has significant weaknesses and there are many techniques for making it harder to recover original passwords from stored hashes, should someone gain access to them. Storing passwords in plain text should be criminal negligence.
The ATO is clueless
So I complained (you can too). I explained the problem and gave references to hashing and related solutions. I received a call from a governance officer who, being non-technical, naturally didn’t quite grasp what I was complaining about, but offered to get a response from someone technical. I received that response a few days later.
Sending passwords in plain-text email is not one of the most commonly adopted methods of password recovery among services with any respect for their users’ security. This response (from the “technical area”, remember) also contains the stunningly false statement
if the password email is intercepted, still they don’t know the userid and the website address so they can’t figure out where the password is going to be used
Well. The “From:” address in the password recovery email is firstname.lastname@example.org. You can see it in my first screenshot. This pretty obviously names the service where the password should be used.
The “To:” address is the email address to use as a login name. I blanked it out above.
The password is obviously the password.
So the recovery email is a complete key of where and how to log in. That someone “technical” offered this in response to my complaint is really, really scary.
And also misses the point entirely. I’m not complaining about sending my password in email, I’m complaining about storing it in plain-text at all, ever! I think I confused them by pointing out that their recovery email is how I know they’re storing the password.
It’s a serious threat
OK, big deal, who cares about the security of a service for ordering free tax documents. It’s likely, though I’m not sure, that the POS is hosted separately to any other ATO services, does not share a database with them, and thus the passwords are only useful for ordering documents. Except… that’s not how people work.
Some 60% of consumers reportedly re-use passwords. Even the minority who try to reduce re-use still probably have a small number of “strong” passwords that they use with trustworthy entities like their banks. Or governments. Oops. And even someone who tries really hard and uses a unique password for each entity they interact with would still likely use the same password for the government-branded POS as they do for other ATO services, like their AusKey.
Storing someone’s password in plain text threatens their security with other services, not just your own. It could be the credential to any amount of private information. It could be the first link for an attacker to bootstrap up to a complete identity theft. It’s no good blaming the user for re-using their password; it’s well known that people do. There are easy and secure alternatives to storing plain-text passwords and no excuses for not using them. That my government is so reckless with its taxpayers’ security just leaves me speechless. I mean seriously, can they be trusted to accept tax returns over the Internet?
Please complain to the ATO. Please don’t re-use passwords, not even with your government. Especially not with your government.
Update: Thanks Daniel Black who commented below that with a reference to the Australian Government Security Manual, which states “Agencies must ensure usernames and passwords stored in databases are hashed with a strong hashing algorithm which is uniquely salted”. I don’t know if this applies to non-defence agencies, but it should!
Another update: Looks like this post will effect some change, at least to this service: SC Magazine.