UTS site defaced with plaintext passwords
Over the weekend, a subdomain at the University of Technology Sydney was defaced, and with it the names and passwords of several staff members. What isn't being talked about much is: it was bound to happen.
Image of computers in UTS Building 10 taken by me in 2011.
According to Michael Lee of ZDNet Australia, the breach affected an older content management system (CMS) backend used to deliver news. Once the system was compromised, the information of staff members was published including their names, email addresses and their passwords as plaintext.
The site also had an ASCII art picture of Zoidberg from Futurama added, performing his trademark roar of exasperation. I see what they did there.
The good news is this breach did not affect the primary site, though it exposes a far larger issue.
The claws of the problem
When I first enrolled at UTS, I was surprised at how easy it was to choose subjects, set up my timetable and get started. Some of my fellow students may scoff at this, but having studied in several places, UTSs system is far superior. They may use Blackboard for everything else, but at least they had the common sense to keep clear of it for enrollment. But I digress.
The one part of the process that gave me pause was when I was prompted for a password. I proceeded to type in a unique passphrase that I'd be using for logging into UTS, only to be told it was too long.
I've blogged at length about the risks of accessing sites with password character limits, and why they're technically unnecessary in a securely designed site. You can read about it here.
In a nutshell, passwords that are stored securely as a cryptographic hash have no technical reason to be limited in length. When a site informs you of a length limit, it's a fairly sure sign they're storing your password insecurely as plaintext, which means when there's a breach, your password is viewable. Like they were here.
UTS uses student passwords for administration, student email, the Blackboard Learn environment, WPA2 passwords for wireless access, Faculty of Engineering and IT access to student servers, login access to shared computers and many more places. I can appreciate the challenge of keeping all these the same, as students are unlikely to be willing to remember different passwords for each of these.
Still, for an institution of higher learning, I can't help but think they could solve this challenge securely. It dismays me when action is taken only as a result of a breach. I hope UTS uses this as an opportunity to revise their security policies.