Passwords of thousands of business customers of the Australian Tax Office are stored in clear text, SC Magazine can reveal.

The ATO discovered the lax practice after software developer Alex North noted that the office's Publications Ordering Service (POS) — hosted and operated by a third party — had emailed plain text passwords as part of its account recovery service.

The POS ships hard copy forms from the ATO's warehouse to businesses and individuals who register with the service.

Storing passwords in readable text places users at risk because it dramatically increases the damage done to customers should the service be hacked.

If the POS were to be breached, scores of taxpayer passwords would be immediately available to attackers.

Those passwords could potentially be used to access other ATO portals if they were reused.

Password reuse is a widespread security risk: Studies claim up to 60 percent of users recycle passwords across web sites, while many hacked organisations have issued statements asking users to change compromised passwords that are resused on other websites.

Customer tax and financial information was not held within the POS, according to the agency.

"The system is run externally by the warehouse and separately to the ATO," a spokesperson told SC.



"It is unable to access taxpayer information or their details. There are no financial or bank account details stored on POS."

The agency will force the POS operator to fix the gaffe and will also push other suppliers to "update and introduce additional security measures where appropriate as part of ongoing best practice".

Email fail

Sydney software engineer Alex North discovered the password gaffe after he noticed the POS had sent plain text passwords via email as part of its account recovery process.

He told the ATO it opened users to account compromise, including the possibility credentials could be stolen during man in the middle attacks. Any user who logged into the service over open wireless networks, for example, could have their passwords intercepted.

But North was reportedly told by an unnamed ATO staffer that the recovery process was standard practice and, erroneously, that usernames could not be gleaned by attackers.

The email address used in the recovery process served as a username and also revealed the website where the credentials were used.

"We currently use the most commonly adopted methods of password recovery," the ATO respondent reportedly said.

Plain text offenders

Billabong, AllPhones and Yahoo! are just some organisations which have faced embarrassment in recent months after hackers accessed their stored plain text passwords.

Scores more have witnessed their user passwords — secured with weak encryption and without salting — cracked within hours after being breached.

Only yesterday, the ABC witnessed half of its almost 50,000 compromised user passwords broken within 45 seconds by Sydney security researcher Troy Hunt.

Hunt began working on the passwords hours after SC reported news that the website of now defunct TV program Make Australia Happy was breached.

While less of a threat than storing passwords without encryption, the use of clear text passwords in account recovery systems was even more prolific.

So common was the misstep that a dedicated website dubbed Plain Text Offenders brimmed with organisations who emailed human readable passwords to their users.

Among those accused of shipping readable passwords include: The Good Guys; Kennards; Australia Post; MyDeal.com.au; TPG; TicketTek; AGL; Pearsons; Melbourne IT; MoshTix; PizzaHut, and BigPond.

Organisations must use strong encryption and salting to protect passwords. Weak encryption can be easily broken, sometimes within seconds.