FAIL: Getsafeonline password strength tester sent passwords in PLAIN TEXT, now hauled offline
Respected, high-profile web safety portal removes password checker following discovery of embarrassing security flaw
Getsafeonline, the UK government’s “preferred online security advice” website has hauled its ‘password strength tester’ offline after users discovered it was sending passwords in plain text.
The webpage asked people to enter a password to check how strong it was, with a score given based on a number of factors. Astonishingly the password checker was seemingly sending the password entered to the server in plain text – making it simple for anyone to intercept and steal.
Even worse, the password was included in the URL of the page, making stealing it embarrassingly easy for anyone spying on the connection.
Shocked users turned to Twitter to voice their anger, with Getsafeonline seemingly taking the password tool offline.
I give up! Did you really just send my password in the URI over HTTP? #fail #infosec @GetSafeOnline @DaveLeeBBC pic.twitter.com/9330g8rOyh
— Paul Moore (@Rambling_Rant) June 4, 2014
Getsafeonline has been calling on UK internet users to take urgent action to protect themselves against Gameover Zeus and CryptoLocker.
Earlier this week the National Crime Agency and FBI warned that people had two weeks to take action while servers used by criminal gangs were disrupted.
Advice given by Getsafeonline included people changing their passwords and picking more secure ones. Its ‘password strength tester’ was intended to help people pick better passwords, but by transmitting them in plain text over an unsecured connection it was doing anything but.
Earlier this week Getsafeonline went offline after it was flooded with traffic following its publication of advice on how to protect computers against Gameover Zeus and CryptoLocker.
We’ve asked for more information on the password checker and will update this story soon.