10 November 2011

News Limited and security of your passwords

News Limited has had a lot of problems this year, and I predict that there is plenty of potential for more.

One cause may well be the fact that it stores its subscribers passwords in the clear, rather than hashing them or using other techniques to ensure that a username and password database can’t be stolen.

How do I know? I recently signed up for a trial subscription with The Australian newspaper. After signing up, they very “helpfully” sent me an email with my password in it!

So:

  1. - my password is stored as plaintext on their system; and
  2. - it was emailed in plaintext across insecure systems (the internet).

These are clear security threats. To quote Hitachi ID Systems, Inc.:

Security threats

Passwords are simply secret words or phrases. They can be compromised in many ways:

  • Users may write them down or share them, so that they are no longer really secret.
  • Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
  • Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
  • Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

The moral of this story? Don’t give News Limited any personal information that you don’t have to, and don’t use your News Limited password on any other site or system.

© 2011 Andrew Calvin