HMRC announced on 13 August 2018 that they intend to change User ID and password policy to allow increased complexity and length within the Digital Transaction Engine. This change impacts MD5 Hashing, TLS 1.0 and Credential Length within Digital Transaction Engine.
Key changes will be made to:
HMRC will be changing User ID and password policy to allow increased complexity and length.
We are back full circle on this. Andica customers may remember back in 2005 when Andica software allowed you to enter a Government Gateway password longer than 12 characters only for the HMRC to reject submissions because it could not handle password of more than 12 characters sent through third party software. We then recommended customers truncate it to maximum of 12 characters.
Following National Cyber Security Centre advice, HMRC are intending to move away from TLS 1.0 and recommend Vendors move to TLS 1.2.
We are back full circle on this one as well. Andica software used to support clear text passwords and we then changed it to MD5 Hashed passwords based on HMRC's recommendations.
HMRC's Document Submission Protocol provided options for Clear Text and MD5 hashing of passwords. HMRC have suggested that to align with established best practice, MD5 hashing method is being deprecated and will no longer be accepted.
We at Andica have updated most of our current software to remove MD5 hashing and support User ID, Password length and validation.
Details for individual products affected and patches to update software are provided in the FAQ's: