Password security for photocard accounts
Request ID: FOI-0180-2122
Date published: 18 May 2021
You asked
Upon requesting a ZIP photocard for my child, I was required to set up a different account to my normal oyster account. This photocard account did not allow passwords greater than 10 characters, and I was not able to use a password that I deemed sufficiently secure to protect my data.
This limit is poor information security, as it makes it easier to brute-force, but more worryingly, it suggests that passwords may be stored in plain text rather than hashed, since password hashes are not constrained by length. One-way password hashes are the foundation of password security.
This photocard application contains my personal information (and of my child). The GDPR requires you to process data securely, and additionally the ICO recommend that password methods are not susceptible to brute-force and use hashing.
The questions I would like answered under FOI are:
1) why is there a maximum 10 character limit?
2) are you hashing the passwords or storing them as plain text in the database?
Without answers to these questions then it cannot be assured that the data is protected safely.
We answered
TfL Ref: FOI-0180-2122
Thank you for your request of 27th April 2021 asking for information about password security for photocard accounts.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy.
Specifically you asked:
“1) why is there a maximum 10 character limit?
2) are you hashing the passwords or storing them as plain text in the database?”
Protecting the privacy and security of our customers’ data is of paramount importance and we recognise our responsibilities as a custodian of the personal data of millions of people and we work closely with the ICO on maintaining best practice. In answer to your first question, the Photocard Customer Portal currently has a 10 character limit as this was in line with the guidance and industry standards in place when the Portal was first developed. Note that we are in the process of updating the Portal. Once live (later this summer) the updated Portal will require that the password must be between 8 or 40 characters and must contain both upper and lowercase letters, a number and a special character.
In answer to your second question, we can confirm that the passwords are not stored in plain text. However, in the interests of protecting the security of those passwords, and in line with our wider cyber-security approach, we are unable to confirm the exact format in which they are stored. This is because we consider that the disclosure of detail around our cyber security practices would be likely to heighten the risk of attempted attacks on our systems and therefore affect our ability to retain the security and controls we have over the personal data we retain, potentially placing the personal data of our customers at risk.
If this is not the information you are looking for please do not hesitate to contact me.
If you are considering submitting a further FOI request please think carefully about whether the request is essential at this current time, as answering FOI requests will require the use of limited resources and the attention of staff who could be supporting other essential activity. Where requests are made, please note that our response time may be impacted by the current situation.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely,
David Wells
FOI Case Officer
FOI Case Management Team
General Counsel
Transport for London
Back to top