Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Companies House - worst ever security?  (Read 5488 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Companies House - worst ever security?
« on: October 02, 2012, 01:45:29 PM »

I started the process of resistering a company a few days ago, then decided it was better left til I was sober.  But I'd got as far as registering a user name and password.

Shortly afterwards I receive a plain text email, thanking me for registering, and confirming my email address and chosen password, all in plain text.

Unbelievable :wall:
« Last Edit: October 02, 2012, 01:50:42 PM by sevenlayermuddle »
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Companies House - worst ever security?
« Reply #1 on: October 02, 2012, 02:37:28 PM »

Incredible isn't it? This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.
Logged
  Eric

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Companies House - worst ever security?
« Reply #2 on: October 02, 2012, 03:05:49 PM »

Incredible isn't it? This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.

Indeed, I had a similar complaint regarding PC World  a few weeks ago.  But given all of our expectations of that organisation, it was hardly that surprising.

You expect better from a .gov.uk website!
Logged

hake

  • Reg Member
  • ***
  • Posts: 296
  • Owzat! On ya way, back to the pavilion!
Re: Companies House - worst ever security?
« Reply #3 on: October 02, 2012, 04:44:16 PM »

I don't.  Sounds like par for the course with HMG IT.  It's absolutely disgraceful that the state sets such an appallingly bad example.
Logged
Windows XP

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Companies House - worst ever security?
« Reply #4 on: October 02, 2012, 07:01:34 PM »

in fact it looks like I've missed the boat a bit as this story broke a few weeks ago.  There are several links to be found to..

http://www.my-scrib.com/corporate-id-theft-companies-house/

Actually though, I think the authors of that story may have missed the point slightly.  The 'second password' as they call it actually appears to be an 'authentication code' that is invented by companies house, and which is used together with the password.  But whilst it is posted in plain text paper post to the registered office at least the envelope is, I assume, sealed.

In contrast, the email portion which contains the user's chosen password is somewhat akin to sending an open postcard, as opposed to a sealed letter.  And if you use that password for any other websites, then they too are immediately compromised by the Companies House email.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Companies House - worst ever security?
« Reply #5 on: October 02, 2012, 08:50:38 PM »

I agree it does seem poor practice  :(

This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.

Im not 100% certain on this, but I dont think SMF sends out passwords in plain text and it relies on the member remembering the password they chose.  If youve forgotten it, its a full reset of password, rather than sending a reminder email.

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Companies House - worst ever security?
« Reply #6 on: October 02, 2012, 10:48:49 PM »

Im not 100% certain on this, but I dont think SMF sends out passwords in plain text and it relies on the member remembering the password they chose.  If youve forgotten it, its a full reset of password, rather than sending a reminder email.

I don't think it applies to SMF, but a lot of forums and commercial sites do send plain text emails to new members, with the password in plain view. Of course they shouldn't really hold a plain text version of the password at all, which is why they have to generate a new one if a member forgets their password. The forum should only hold an encrypted copy of the password, and I'm fairly sure that's what SMF does.
Logged
  Eric

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Companies House - worst ever security?
« Reply #7 on: October 03, 2012, 12:12:43 AM »

I think youre correct eric :)
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Companies House - worst ever security?
« Reply #8 on: October 03, 2012, 02:11:27 AM »

I seem to recall some forums and other websites sending me a temporary computer-generated password initially, which implicitly allows them to validate my email address as part of registration.

That is just about acceptable as I regard the temporary password as 'theirs', and they are responsible for the security of their own registration process.  If users wish to have secure access, they simply change that temporary password before using the service for anything they care about.

But I am at a loss to understand why Companies House emailed my pasword at all, doing so served no purpose that I can see, and it was of course my chosen 'permanent' password, not a temporary one.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Companies House - worst ever security?
« Reply #9 on: August 31, 2013, 09:47:27 AM »

Whilst I dont think sending a password in a email is the end of the world, the underlying factor behind it is more worrying.

Generally if a system is able to tell you your existing password, it generally means its 'stored' unencrypted.  That to me is the much bigger concern.
Logged
 

anything