Plymouth Passport Office’s pitiful password privacy

Graham Cluley
@gcluley

The Plymouth Herald reports on what appears to be an easy-to-avoid gaffe.

An eagle-eyed passer-by spotted a password on clear display at Her Majesty’s Passport Office in Ebrington Street, scrawled on a flipchart leaning against an upper window.

Sign up to our newsletter
Security news, advice, and tips.

Of course, with modern smartphone technology it’s not hard for anyone to read a password written so large on a flipchart even if it is high up.

And what a password it is!

Passw0rd1

Okay, so they’ve taken possibly the world’s worst password, capitalised the first letter, changed an ‘o’ to a zero, and added a digit on the end, but err… that’s pretty pitiful.

The Plymouth Herald contacted the UK Home Office to ask them about the incident, and a rather exasperated-sounding spokesperson said:

“The Home Office takes security incredibly seriously and we have explained to Plymouth Live several times why this is not a security breach.

“This word would not have allowed members of the public or Home Office employees to access any Home Office systems.

“It was simply used to take our employees only through to a page where they would then have create a high security password, and cannot be used to access Home Office systems.”

I think that means that the password allows workers to access a webpage where they can choose a different password for themselves… which hopefully isn’t “Letme1n” or “Passw0rd2”.

One hopes that this webpage where users can choose their passwords isn’t accessible to the outside world, otherwise someone could easily go there and mess-up a new worker’s first day in the job, locking them out of the system.

That may be not be a realistic threat, but I see a number of real problems here:

  • Passwords don’t need to be, and shouldn’t be, easy to guess or crack. There’s no reason why that password couldn’t be something like “XhxC$ndh2e&O”, for instance.
  • It’s poor security to leave passwords on open display. Otherwise, what’s the point of having a password at all? Scrawling a password large on a flipboard seems unnecessary enough, but then leaning the flipboard against a window that can be seen from a public street is even dafter.
  • It doesn’t matter that the password isn’t used for what the Home Office considers a “high security” purpose. The right approach is to consider all passwords to be sensitive, rather than some more important than others. If you take that approach, no-one has to be second guess whether this is a password you need to be careful with or not – they *all* need to treated properly.
  • Finally, don’t sound annoyed when someone points out a potential security issue! Be grateful that they are being your eyes and ears, and alerted you to something that you didn’t notice.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “Plymouth Passport Office’s pitiful password privacy”

  1. What if the account isn’t used for a period of time or is orphaned? The account only being internally accessible may reduce the external threat, but it doesn’t address the internal threat. It’s just bad practice. The only excuse that would wash with me is this was being used to show staff what a bad password looks like.

  2. If I had seen that password I would have assumed, and hoped, it was meant as a demonstration of bad passwords. Perhaps there was a security training course and someone was giving examples of bad passwords. Sounds like this was not the case though.

    I would be curious of what the purpose of a password would be if you are going to literally let every person know the password. Much easier to just get rid of the password.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.