Horst Herb wrote: > http://smh.com.au/news/technology/police-secret-password-blunder/2006/04/05/1143916566038.html > > The point they completely miss in this unbelievable display of incompetence > is > that such passwords never should be stored in cleartext in the first place - > in this case a hash of username+password should have been all they needed > and all they needed to store too. > > Probably doesn't suprise anybody anyway that this happened.
Yes, an unfortunate stuff-up by Mr Plod. However I would make a few observations about this: 1) NSW Police is not HeSA and to equate the two as you do in your message subject line is not sensible. They aren't even in the same tier of government. 2) The passwords involved were passwords to an Internet email list to which journos subscribe to get press releases on the latest Sydney gangland shootings and news of other transgressions of the Thin Blue Line. 3) Although storage of passwords as salted hashes is indeed best practice, very many Internet mailing list manager suites do, in fact, store plaintext passwords, so that they can send reminders to subscribers when they forget their password. Indeed, the Mailman mailing list manager which runs this very list (GPCG_TALK) on the ozdocit.org server does exactly that - see http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk - near the bottom of the page it offers to send you a password reminder, which is sent as plaintext - thus Mailman must store the passwords as plain text 9or in a form which can be transfomed back to plaintext, which is not much better). Indeed, in 2004 the Mailman suite was found to suffer from a major security hole which allowed subscriber's plaintext passwords to be retrieved by unauthorised persons by sending a carefully crafted message - see http://secunia.com/advisories/11701/ - this vulnerability has been closed and I am sure it is not present in the copy of Mailman used to run ozdocit.org - but it is unwise to engage in too much schadenfreude over this sort of slip-up - there but for the grace of deity-of-your-choice go you. 4) The real moral of the story is NEVER, EVER re-use important passwords (eg as used for clinical info systems or for the networks on which they are hosted etc, or for electronic banking etc) for other purposes, such as mailing lists. If you do re-use a password, then you must realise that the security of all the services and facilities for which you have used that password is no better than the least secure of any of those facilities or services, and the probability that one of those facilties or services will stuff up and reveal your password is the *sum* of the probabilities that each one will stuff up in any given time period. Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
