The Australian Taxation Office stores passwords in plain text

The ATO stores passwords in plain text. I know this because they emailed me my password after I forgot it. Storing passwords in plain text is straight up bad security, a threat to Australian residents who are required by law to interact with the ATO, and easily avoided. When I complained, they appeared ignorant of the problem; in fact, they gave a hilariously misinformed justification of why their process is acceptable, managing to miss the point entirely.

The details

The ATO Publications Ordering Service (POS) is the service you need to use to get paper copies of various tax forms. Many individuals won’t need to interact with it (you don’t need it for e-tax) but if you file a tax return for a company or trust, this is where you get the forms. You’re directed to the POS from the ATO’s website. For some reason it doesn’t have a .gov.au domain, but it does bear our government’s name, coat of arms, and copyright assertion. It’s apparently run from “commercial web hosting facilities”.

The POS requires creation of an account before you can order documents, authenticated by an email address and a password. I forgot my password, entered my email address into the password recovery form, and was shocked to receive this email:

ATO POS password recovery email

The two blanked-out pieces of content are the email address I was using and my password.

In order to be able to send me this email, the POS must store my password in plain text, or at best with reversible encryption and associated keys.

Why storing plain-text passwords is bad?

Storing plain-text passwords is bad because storing a password makes it possible for someone to access it. Who? I certainly don’t know for sure, but  people who might have some opportunity to access these passwords include POS technical staff, the contractor/s who developed this POS, administrators of the system on which the POS runs, and administrators at the commercial hosting provider. And, of course, attackers who might attempt to gain unauthorised access to such a gold mine, perhaps through someone who already has access. And anyone who gains access to or intercepts a password recovery email, sent unencrypted over the public Internet to an unfortunate POS user.

Storing plain-text passwords is unnecessary. For decades now, the only acceptable means of storing a password has been to store a hash of the password, not the original password. A hash is the result of a simple mathematical operation over a string of characters. As an over-simplified example, for a password comprising only letters, you could map each letter of the alphabet to a number (A -> 1, B -> 2, etc), then add all the numbers up to a single total, which you store. When a user attempts to log in, you perform the same arithmetic on the password that they provide, and if the totals match, you let them log in. You don’t need to compare the password they provide with the original password, and if some malicious agent does gain access to the stored hashes, seeing that my password hash is, say, 193, doesn’t reveal the original password. (Note: modern hashing algorithms are much more sophisticated, and the chance of finding a  password that produces the same hash value as the original is near enough to zero).

Again, hashing has been the only acceptable means of password storage for decades. Hashing alone still has significant weaknesses and there are many techniques for making it harder to recover original passwords from stored hashes, should someone gain access to them. Storing passwords in plain text should be criminal negligence.

The ATO is clueless

So I complained (you can too). I explained the problem and gave references to hashing and related solutions. I received a call from a governance officer who, being non-technical, naturally didn’t quite grasp what I was complaining about, but offered to get a response from someone technical. I received that response a few days later.

Sending passwords in plain-text email is not one of the most commonly adopted methods of password recovery among services with any respect for their users’ security. This response (from the “technical area”, remember) also contains the stunningly false statement

if the password email is intercepted, still they don’t know the userid and the website address so they can’t figure out where the password is going to be used

Well. The “From:” address in the password recovery email is atopos@iorder.com.au. You can see it in my first screenshot. This pretty obviously names the service where the password should be used.

The “To:” address is the email address to use as a login name. I blanked it out above.

The password is obviously the password.

So the recovery email is a complete key of where and how to log in. That someone “technical” offered this in response to my complaint is really, really scary.

And also misses the point entirely. I’m not complaining about sending my password in email, I’m complaining about storing it in plain-text at all, ever! I think I confused them by pointing out that their recovery email is how I know they’re storing the password.

It’s a serious threat

OK, big deal, who cares about the security of a service for ordering free tax documents. It’s likely, though I’m not sure, that the POS is hosted separately to any other ATO services, does not share a database with them, and thus the passwords are only useful for ordering documents. Except… that’s not how people work.

Some 60% of consumers reportedly re-use passwords. Even the minority who try to reduce re-use still probably have a small number of “strong” passwords that they use with trustworthy entities like their banks. Or governments. Oops. And even someone who tries really hard and uses a unique password for each entity they interact with would still likely use the same password for the government-branded POS as they do for other ATO services, like their AusKey.

Storing someone’s password in plain text threatens their security with other services, not just your own. It could be the credential to any amount of private information. It could be the first link for an attacker to bootstrap up to a complete identity theft. It’s no good blaming the user for re-using their password; it’s well known that people do. There are easy and secure alternatives to storing plain-text passwords and no excuses for not using them. That my government is so reckless with its taxpayers’ security just leaves me speechless. I mean seriously, can they be trusted to accept tax returns over the Internet?

Please complain to the ATO. Please don’t re-use passwords, not even with your government. Especially not with your government.

Update: Thanks Daniel Black who commented below that with a reference to the Australian Government Security Manual, which states “Agencies must ensure usernames and passwords stored in databases are hashed with a strong hashing algorithm which is uniquely salted”. I don’t know if this applies to non-defence agencies, but it should!

Another update: Looks like this post will effect some change, at least to this service: SC Magazine.

26 Thoughts on “The Australian Taxation Office stores passwords in plain text

  1. Ew, I have an account on that site. I find it amazing that these kinds of systems can even exist.

  2. Someone should lose their job over this. Preferably someone in a suit who works in Canberra.

  3. Jay Whiting on February 27, 2013 at 5:03 pm said:

    Complaint time!

    Really, they need to rebuild their website services from the ground up.

  4. It gets even worse elsewhere: http://imgur.com/92kLgMZ

  5. Dermott Banana on February 27, 2013 at 10:35 pm said:

    Having worked for the ATO, and had a spouse who still works in their IT area, this does not surprise me in the least. What does surprise me is they thought to have a system that requires something as technical as a password.

  6. You can improve on the hashing by making the username part of the hash as well, and/or with some other site-specific randomness. This stops people searching the hashed value against hashes of dictionary words. e.g.: http://www.md5-hash.com/md5-hashing-decrypt/c7a6002549b0ff54324ecce62cd9ab6d

  7. Jim Soho on February 28, 2013 at 9:23 am said:

    Yes, this is extremely bad behaviour by the ATO. Passwords should be stored using at least SHA512 or bcrypt with high cost value, and of course using salts (different per user). Passwords should never be mailed.

    I cannot proof it, but for years I have the feeling banks in Australia and several in the US also store password details unencrypted and unhashed. The way their websites are build just gives me no confidence at all.

    But us consumers should be educated as well. Never assume any service does this right. If you as a consumer re-use a password at several sites you’re just asking for it. So don’t do it. Use password tools to help manage this. I don’t know any of my passwords on any site, there’ll all unreadable with lengths over 20 characters.

    Unfortunately all my defences won’t help in this case. Anyone can go to the ATO POS site, enter my email address to request password, intercept my email, and take over my ATO POS account. Thank you ATO.

    • Rowan Crowe on February 28, 2013 at 5:05 pm said:

      I’ve just realised that my bank – Westpac – most likely does store online banking passwords in clear text form. Why? Some time ago they moved from a standard password field to a click-to-type form. My password, which I chose before the change, has both upper and lower case letters, but the click-to-type form only enters capitals. It still worked just fine after the change. So unless they’re using some sort of mild brute force algorithm to try all possible case combinations of the hash of the entered password vs the stored hash, it is just a simple check for entered_pass = UCASE(stored_cleartext_pass)

      Light above head moment, followed by a facepalm.

    • Chris O on March 1, 2013 at 8:53 am said:

      @Rowan – or they just do:

      SHA(UCASE(entered_pass)) = SHA(UCASE(stored_cleartext_pass))

      Which is still reducing the uniqueness of your password, but not as badly as you fear.

      Still, aussie banks terrible password policies, maximum length of about 8 (although NAB recently increased this) and not allowing symbols (how else would their click-to-type systems work?).

    • Chris O on March 1, 2013 at 8:54 am said:

      Err, stuffed up my copy paste. Of course I meant:

      SHA(UCASE(entered_pass)) = stored_sha_ucase_password

    • I know GE Money use plaintext passwords, because I had a woman read mine out to me over the phone once. I was understandably not impressed.

    • Alex on March 1, 2013 at 5:58 pm said:

      Yeah, this sure made me glad I’d used a unique password here (different even to my other ATO passwords). It took me a while to recognise it as a password in the email.

  8. They may use symmetric-keys to encrypt which allows you to reverse out the password but not store it in plain text. Not defending them just saying I’d look further before assuming too much.

  9. Daniel Black on February 28, 2013 at 3:19 pm said:

    http://dsd.gov.au/publications/Information_Security_Manual_2012_Controls.pdf?&updatedNov12

    Control: 1252; Revision: 0; Updated: Sep-12; Applicability: G, P, C, S, TS; Compliance: must; Authority: AH
    Agencies must ensure usernames and passwords stored in databases are hashed with a strong hashing algorithm which is uniquely salted.

    • Alex on March 1, 2013 at 6:00 pm said:

      Thanks Daniel! I went looking for some regulation like this but couldn’t find anything.

  10. TPG also sends you passwords via SMS if you’ve forgotten them…

  11. you can’t tell whether they store your passwords as open text, because you don’t have access to their infrastructure. It could be a key vault server which contains keys to decrypt your password before sending it back to you.

  12. @lolwat, that misses the point completely. You can have the best decryption methods known to man but at the end of the day you’re sending an unencrypted password out over email. That’s like having a state-of-the-art home security system and leaveing your front door open.

    Anyway, as someone who’s worked as a contractor for Aus gov websites this does not surprise me at all and I seriously doubt they’re using a password encryption vault. These organisations simply don’t care about security. Some of the code is ancient and full of security holes. Ironically, the reason things aren’t upgraded is due to “security and stability” reasons according to management.

    Foxtel also store your passwords in plain text. I complained recently about it and they fobbed me off with the standard “we take our customers security seriously” email which is a bit disingenuous to say the least.

  13. I have encountered a number of sites (fortunately not representing the Australian government) which, when you register, send you an email showing your login and password in plaintext.

    When I pointed out how insecure this was, and asked them to fix it, they didn’t seem at all concerned. They were performing a “service”, providing this information.

    And when you change your password to avoid this? They send you that, too. :(

    • I can trump this. At Sydney Uni, when you sign up for the workplace health and safety course, you have to make an account. They respond with an email including your username, password in plain text, and cc’ed to your direct manager/supervisor… with no warning that this will happen.
      The data isn’t particularly personal, but they didn’t seem to understand my arguments about password reuse, and the possibility of a password like “mySupervisorSmells” not looking so good…

  14. I am gob-smacked at the various security oversights many large corporations have with passwords AND Credit Card storage! It’s astounding! We all talk about being PCI compliant and how it requires $40k+ to be ‘certified’, but there is a plethora of conglomerates out there ripe for any hacker to break through and steal sensitive information.

    I often hear that it is because of ‘legacy systems’, but surely MD5/SHA + salting has been around for some time?

    I use LastPass for my password generation because I am aware that many companies do not hash passwords and for that reason I refuse to use the same password across multiple sites.

    Do you use OnePass Alex?

  15. Daniel Black on May 19, 2013 at 2:34 pm said:

    Well done on generating a result from a blog post. ISM defiantly applies to non-defence. From applicability in the start of the manual.

    Applicability
    This manual applies to:
    • Australian government agencies that are subject to the Financial Management and Accountability Act 1997
    • bodies that are subject to the Commonwealth Authorities and Companies Act 1997 and that have received notice in accordance with that Act that the ISM applies to them as a general policy of the Government
    • other bodies established for a public purpose under the law of the Commonwealth and other Australian government agencies, where the body or agency has received a notice from their Portfolio Minister that the ISM applies to them
    • state and territory agencies that implement the Australian Government Protective Security Policy Framework
    • organisations that have entered a Deed of Agreement with the Government to have access to sensitive or classified information

  16. Daniel Black on May 19, 2013 at 2:46 pm said:

    Of course there are better things than just salts and hashes, http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html http://codahale.com/how-to-safely-store-a-password/

    And the policy of hashing/salting a username is just dumb. Imagine iterating over an entire ATO database of users, doing a hash just to see if the user name is right even before checking the password.

  17. Wow, that’s bad

Post Navigation