Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
Updated 11.07am
THE PRIVATE PASSWORDS and e-mail addresses connected to almost €2 billion worth of Prize Bonds accounts could easily be exposed if the website was hacked.
The weakness in the system was highlighted this week when a user received their original password in an e-mail.
Computer security experts say this indicates the passwords and email addresses are stored in a way that would be easily accessible by a hacker, and could then be used to access other accounts used by customers.
A spokesperson for the National Treasury Management Agency (NTMA), who manage Prize Bonds, confirmed that “no functions are available [on Prizebonds.ie] other than to check publicly available lists of winning prize bond numbers”.
The liability was highlighted on technology blog PMooney.net, who found that if a user requested to reset their password on the website, they receive their original password in an e-mail.
‘Plain text’
Computer security experts contacted by TheJournal.ie said that if it is possible to send passwords to users using this method, it indicates that they are likely stored in a ‘plain text’ format.
This means that if a malicious hacker was to access the site, customer’s email addresses and passwords could be easily retrieved, as an attempt has not been made to encode the information.
“It’s an absolutely no-no,” said CEO of Smarttech.ie Ronan Murphy.
The best practice for storing passwords is an encryption method MD5, where your password is ‘hashed’.
He said that e-mail was a highly unsecured way to transmit such sensitive information.
“The fact that they manage to send passwords in an unencrypted format could lead you to believe that they are stored in that format somewhere on their network,” the author of PMooney.net told TheJournal.ie.
“I would (hopefully) doubt this is the case and assuming that the passwords are only decrypted during the process of sending the email, it still is insecure.”
The developers may have a limited budget/resources. But it needs to be fixed.
PMooney.net also highlights that Tesco.com’s use of a similar system was investigated by the UK Information Commissioners Office last year.
The NTMA said that “details held within the system database are stored in an encrypted format, in line with best practice”.
A Security Statement on PrizeBonds.ie states that “all sensitive data is stored in an encrypted fashion on highly secure servers and is completely protected from unauthorised access”.
While no financial information or transactions can be accessed if an account holder’s Prize Bonds account was compromised, Mike Harris of Grant Thornton explained that once an email address and associated password have been compromised, it can lead to the hacker gaining access to many other accounts.
Same password
“The big issue is the fact that people share the same password across different services,” he said.
“In some cases, a simple, hack can compromise a lot of passwords… and these might be used across across a number of different services, such online banking, social media, and insurance websites.”
Most experts advise users to create strong passwords containing symbols, numbers, and capital letters, and to use a different password on every website.
Originally published 8.15am, updated to include clarification of MD5 encryption
Who the hell is Ronan Murphy? Why not get someone who actually knows about security to comment? Ireland has a relatively large and knowledgable infosec community who could give good advice, unlike Mr. Murphy who doesn’t know what he is talking about.
First, storing a password as md5 hash is not much better than plaintext. Md5 is broken and trivial to crack. Passwords should at minimum be hashed using sha256 (preferably sha512) then salted with a random value, then hashed again. That is a minimum.
Secondly, md5 is not encryption. It is hashing. Hashes are used for verification and retains none of the original information.
Was going to say the same thing. Can’t believe that somebody in 2013 is still recommending using an MD5 hash, especially when they appear to think it’s an encryption algorithm.
// sheesh
I just had a look at his profile. It seems he’s the CEO of an MSP. I wonder why he didn’t get one of his engineers to comment? His comment doesn’t inspire much confidence in his company as a security provider.
Better go cash in my 1 billion worth of prize bonds… oh wait, that was a dream :-(
Limited budget resources is no excuse. They just need a line of code to hash new passwords and another line to hash passwords when logging in. Then prepare a script to convert all previous passwords. I could almost do that for free.
How do you know that’s not happening but with reversable encryption
Your not supposed to encrypt passwords. You’re supposed to hash them. Hashing is not reversible. Encryption is.
I don’t, but if they are they shouldn’t. Nevertheless the solution is much the same except with two extra steps, remove the encryption code and decrypt all existing passwords before hashing them.
And yes, it is bad design, because regardless what they’re doing behind the scenes, being able to return a users existing password is an indication that the password is easily accessible. They are not using md5 and dehashing it as that requires brute forcing it, even if they were I’d be enclined to fire the developer for eating up all the server resources for that.
All it requires is one other careless overlook on security, such as an sql injection weakness, and bingo, anyone who can write sql can get all the user passwords because they weren’t hashed.
Oop I didn’t even know I had a password?? I thought I just got a letter in the post if I won ………
This article is absolute load of horseshite. The fact that they email you your password is simply bad design and easily remedied by simply sending a reset link.
However it does not mean that it is stored in plain text. To check that your password is correct it has to be compared to the origional.
Also md5 can be decrypted back to the original. Or maybe they store they have a master encryption key.
Journalist shouldnt write this waffle…..
iT IS POSSIBLE to hack every website…….
Btw md5 is not random
So are you saying that people are not getting their passwords sent by email? never mind the if’s and but’s and what should be done because we know that already, the article points out that our pals at the National Treasury Management Agency don’t know so maybe you should help them out.
@Rehabmeerkat, the point of using salted hashes is that the backend code compares hashes to validate passwords, rather than comparing candidate passwords with the original password. Neither can MD5 “be decrypted back to the original”. Instead, it’s possible, with some work, to find message text which hashes to the same MD5 hash value which is equivalent if the backend code is comparing hashes. Finally, it’s unclear what you mean when you say “they store they have a master encryption key” since MD5 is a hashing algorithm which does not use keys, rather than an encryption algorithm which does (or, are you referring to storing passwords enciphered under a master key, rather than hashing them and comparing hashes? If so, that’s still lousy security practice).
MD5 can be reversed via rainbow tables, check http://md5decryptor.co.uk to see it
That’s technically not reversed. Theoretically there is an infinite number of collisions and you are just finding one by brute force. But when talking about hashed passwords generally the first result is the password.
Yet the Bank Guarantee letters weren’t stored in plain text, …. Or were they….
@NickyRyan_ Thanks for this insightful (although a bit scary) article!
I have to confirm unfortunately that the fact that passwords have been sent via email does mean that they’re stored in plain text or equivalent (maybe encrypted with the key stored not far from there).
Usually, as Robin Hilliard mentioned, instead of comparing passwords, systems should compare “hashes” obtained from these passwords, using a complex hash function. MD5 which is mentioned shouldn’t be used in that case as it can be easily reversed using rainbow tables. The way this works is fairly easy to understand: for millions of passwords, the MD5 result is pre-calculted and stored in a big table (called rainbow table). Then, it’s only a matter of looking up the MD5 result to derive the password.
The proper way to secure these passwords will be to use salted hash: that means that each password in hashed using a unique “salt”.
It’s not to late to burn these Bondholders.
have your say