Passwords have finally reached their sell-by date

I wrote in this column two months ago about my difficulty in finding a reliable web hosting provider. I thought I had finally found one that I was happy with, but recent events have forced me to reconsider.

Last week, I received a couple of disturbing emails from the company. The first said that its technical support person "is no longer affiliated with the company" and that, should I receive any email from him, I should forward them to his ex-employer and then delete them. Rather worrying, to say the least.

The second email said that a member of its staff had recently left the company and, as is standard procedure in such cases, they were advising all customers to change their passwords as a matter of urgency.

At my hacking trial, 20 years ago, my defence barrister pointed out that Prestel had been warned about security weaknesses in its systems a couple of years before I managed to get in. Apparently, Prestel's password file was readable by any staff member with the appropriate privileges. Although this took place 20 years ago, it seems that some companies have still not learned the lesson. Password files should be write-only. No exceptions.

On another note, you may have heard me talk about how WordPerfect's marketing team handled the revelation that its uncrackable document encryption facility was nothing of the sort. The company published a press release from one of its largest customers explaining how pleased it was to discover that the encryption was breakable. "We never dared use the feature before," went the quote, "for fear of losing critical data if an employee forgot a password. Now we know lost passwords can be recovered, we're happy."

I had long since abandoned hope of any company making such a huge PR gaffe again. But last week my local newspaper carried a story about a web filter that is being used in primary schools to protect children from web perverts. The team behind a new Dick Whittington pantomime was apparently fuming after it emailed details of the show to a number of schools, only to have the message bounced because of Mr Whittington's first name.

A council spokesman in one affected education department said: "This demonstrates that the systems are working, albeit in an unintended fashion." Well, quite. The web is an incredible place. If children need protecting from it, it is the job of parents and teachers, rather than dumb keyword search tools.