GCHQ Security Gaffe: Spooks Send Passwords In Plain Text

One of the UK’s core intelligence agencies, GCHQ, has been caught with its pants down, sending passwords in plain text – a fundamental no-no of Internet security.

Evidence that GCHQ is not adequately encrypting or hashing its passwords came to light in a blog post from budding security pro Dan Farrall. Hoping to apply for a job at the agency, Farrall realised he already had an account needed to apply for the role. He had forgotten his password, and asked for a reset. But instead of going through a secure passwords reset process, as is good practice, GCHQ just sent him his login information in a plain text email.

‘Shocking’ from GCHQ

“Pretty shocking in my opinion, so I sent them an email on the 28th of January letting them know about this issue, but have heard nothing back,” Farrall  wrote.

The GCHQ career site may not be run by an internal team, but given it was alerted about the issue some time ago, it will concern many to see nothing has been done.

It is possible that GCHQ is protecting the passwords it holds in its own storage, but sending them in plain text is still bad practice from a major intelligence body that is one of the leading organisations for the promotion of security in the UK.

Another UK giant, Tesco, came in for heavy criticism last year for doing the same thing. It eventually changed its ways after heavy press pressure.

GCHQ said it is in the process of changing systems, although did not say whether it would stop sending passwords in plain text.

“The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it,” a GCHQ spokesperson said, in a statement emailed to TechWeekEurope. “Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.”

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I contacted GCHQ a little over a year ago after running a metadata dig on various websites, GCHQ amongst a few others (The Cabinet Office aswell) were all leaking metadata.

    GCHQ showed me UNC paths to local directories (thus showing some internal infrastructure), usernames, applications and versions etc. I still have the output from that scan.

    I contacted the press office who responded with a thankyou and the next day it was resolved, but another rookie mistake.

    Never trust an organisations of secrets, they are all useless, never mind a democracy, we live in a idiocracy.

Recent Posts

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

3 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

3 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

4 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

20 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

21 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

22 hours ago