Questions asked about Companies House password security

Questions asked about Companies House password security
Questions asked about Companies House password security

Research has revealed that Companies House sends password reminders by post with the details in plain text.

The research by My Scrib said that Companies House uses post instead of email for sending out companies' passwords, which is a problem when companies are obliged to register and make the majority of changes to their status online.

Companies House requires two passwords – one for each user and one for each company - the former is the same across all companies that a person owns or has an online account for.

However it is the password per company that is sent to a company's registered address by post and if this password is lost or forgotten, there is no way to get it online, it is only resent by post, but then the password is not reset.

“In order for Companies House to be able to send out a reminder of the password without resetting it, the password must be stored in plain text on a server somewhere. This means it is vulnerable to hackers,” My Scrib said.

“So what is it possible to do if you gained unauthorised access to Companies House online? You could change the company's address, add and remove directors and secretaries, or change the share distribution or ownership. The company has to keep its own records too, but it is fairly easy to see how a fraudster could do much the same as those American lawyers without too much effort.”

The research cited password questions posed by Troy Hunt against Tesco, which alleged that the retail giant sends out passwords in plain text with security flaws in its website.

Hunt said that he imagined it would be a very big deal if an attacker could go in and change a company's details, but the other issue is about what sensitive information it might disclose.

He said: “I'm not too familiar with the UK structure, but I imagine there might be information which should not be readily disclosed.

“That said, there's still the requirement to intercept or acquire the password but with it emailed in plain text and stored, at best, in an encrypted form (at worst in plain text – we have no evidence to suggest anything to the contrary), the bar is just that much lower to begin with. It's unnecessary in this day and age.”

My Scrib said: “Tesco very quickly fixed their system following publication of the vulnerability. I wonder whether Companies House, who keeps rather more valuable information safe than the contents of our last grocery shop, will be as quick to respond.”

Sign up to our newsletters