Password security, data safety - A government perspective
One week ago, I went to a branch office of Servicio de Administración Tributaria, the government office in charge of processing taxes. This year, I plan on doing something quite bold, as my Mexican friends will acknowledge: I will prepare my (quite simple, I hope) tax declaration by myself. I do not want to be held hostage of the accountant guild - So I might end doing some fuckup which in the end costs me money or time. I hope it is not the case. Anyway… Last week I went to this office, as I needed either a CIECF (Clave de Identificación Electrónica Confidencial Fortalecida - Strengthened Confidential Electronic Identification Key) or a FIEL (Firma Electrónica Avanzada - Advanced Electronic Signature). No, please don’t believe it is a security token, a card with printed numbers, a one-time-pad or the sort - The CIECF is… A password. Why is it strengthened? Because it has the feature of including a question, in case you forget the key, to allow you to change it. I guess the FIEL is a more reliable device, but I prefer not to even request it. And as far as the questions go, the emergency questions for CIECF suck. First, I was not even asked the meta-question - I was not told why this information was needed. So imagine the clerk saying: Full name? … Date of birth? … RFC (Tax ID)? … Favorite color? I was there just… Stunned. Why do you need it? Oh, just in case you forget your password. Ok… Don’t you have any other questions which I am not prone to answer a different thing, and that are not dead obvious for a casual passer-by? (I guess that at least 1/4 of the public will say blue. Feel like brute-forcing SAT to its knees?) Other questions include your fathers’ second family name, your favorite soccer team, your pet’s name… It seems they took the first “security dos and don’ts” book off the wall, and started reading backwards. But anyway, that’s the system, and I must play nice with it. So I get back home, and decide to start hacking up my declaration. No, Mr. Policeman, I’m not saying I would try to break into the SAT - I just say it is a complex and non-obvious task to do. Now please release me. Thanks. And I enter the system. Of course, I tried first with Iceweasel, knowing it would fail (it is documented: MSIE 5.5 recommended). I tried again with Konqueror. I tried, sigh, with MSIE from inside Wine. No luck. Well, even from within qemu’s Windows 2000. Wrong password. WTF?! Stranger: It worked with SAT’s My portal, although it didn’t with the declaration, which is what matters now. I cannot take the time every day to come to the SAT and move my data - It was a full week until I came back again. I insisted on fully logging in to the system, to be sure the password I entered this time was right. As well as my über-secret safety question, of course. And it failed. Twice. Until the clerk noticed something strange in the way I typed… Sir, excuse me…, he muttered, why are you typing such a long password? Well, basically because I value my tax declaration, and I know brute force is a powerful force. (explain it, of course, in simple terms) Oh… No, the password must be eight characters long. No wonder. So I entered the first eight characters of my password, which was a true work of prose for their standards, at around 20 characters. And it worked. Now, for bonus points: What do we gather from the fact that the long password works fine in one system, but in another system it only the short version? Why, but of course! I guess the passwords for every economically active Mexican is stored in their master database in plain text. Isn’t it just beautiful? Anyway, it seems I have a lot of work to do. If all goes as planned, maybe next year I will be for hire as a public accountant? Hmh, does not sound too much like fun, does it?
alex_mayorga 2008-04-25 09:20:11
I do feel the pain…
not to mention that the so called SOLCEDI is an .exe and .doc document. I’ve yet to throw it into wine. That would be OK I guess now that OOXML has been turned into ISO standard. And how would that be strange if rumor has it that Mr. Gates himself phoned Mr. Calderón to change initial Mexico “ABSTAIN” on DIS29500 to a resounding “YES”. What shocked me in particular was they blatantly distributing known vulnerable and already compromised versions of Java. Good luck with your taxes, I really don’t think my hacking skills are yet to the level of filing them myself so I’ll be going to the nearest SAT office this Sunday. We all should do it diligently, otherwise our hard working congressmen and woman might not get their well deserved paychecks on a timely fashion.
gwolf 2008-04-24 20:27:35
It could be, of course, that way`
I also thought on this line. Of course, I highly doubt so. Once you see several things being stupid and going wrong at once, you can only expect stupidity to sink deeper and deeper
Martin 2008-04-25 01:46:14
Verisign does this too
Verisign does this too. The only difference is that they truncate after 30 characters. Silently. I DEFINITELY expect more of THEM.
Rodrigo 2008-04-24 17:59:18
I feel you pain
Imagine all that, plus special nastyness points for being on a deadline, since I needed NU’s password to submit some statement or other in time to take it to the bank for some other round of paper shuffling :(
At least it makes me feel better, knowing that trying to get that password set three times was not me being particularly bad at typing, but them being particularly bad at, I don’t know, being.
Russ Allbery 2008-04-24 18:06:49
Truncated long passwords
It may not be stored in plain text; it may instead be that they truncate after eight characters and hash, and one system just quietly truncates and the other refuses to let you enter anything longer. A scary number of password systems work that way, starting with the legacy UNIX crypt password hashes.
Of course, it could also be plain text. It wouldn’t surprise me a lot.