Lloyds TSB is the fifth-largest banking group in the UK … [snip]… the banking giant enjoys rooting through customer records and changing passwords it finds offensive, then refusing to change them back.
Steve Jetley of Shrewsbury discovered this firsthand, after he changed his telephone banking password to “Lloyds is pants” (“rubbish” to us American sods on the wrong side of the pond). Upon calling in, Jetley discovered that his “pants” password didn’t match what was in the system. Instead, his password had been changed to “no it’s not.” Initially, this was no big deal.
Actually, this is a really big deal.
What this means is that the password database for Lloyd’s is unencrypted. This is a very-very bad no-no.
If you’re using passwords as your authentication method, decent security demands that only the user knows what the password is. That is to say, it is impossible for anyone at the bank to find out what the user’s password actually is. In cryptography, this is accomplished using one-way hash functions.
Mathematically, the concept is actually pretty simple. A hash function takes a string (in this case, the user’s password “Lloyds is pants” and computes a result that cannot be reverse-engineered. For example, an MD5 hash of “Lloyds is pants” might look like this: “08cbdb76f55034939fb530dbf367725b”. The cool thing about well-designed hash functions is that if I know the hash, I *can’t* tell you what the original password is (note, this isn’t exactly the case for MD5, which is broken, but that’s not germane to this post).
Anyway, this means that if someone manages to get unauthorized access to the password database, they can’t see the actual password, they can only see the resulting hash. This means that they can’t turn around and *use* the password.
Lloyd’s obviously doesn’t do this. Which means that any employee who has access to the password database can not only act like a corporate gentility cop (like this story), but they could also sell, trade, or use the password themselves. Ick.
[edited to add] – Bruce and I are picking up on the same stories lately. The comment thread over at his blog indicates that this isn’t actually a password (to be used with online banking, for example), but a code phrase, to be used when dealing with human banking representatives. Which explains the unencrypted nature.