Forgot your password?
typodupeerror
Security Your Rights Online

France Outlaws Hashed Passwords 433

Posted by samzenpus
from the keep-your-receipt dept.
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
This discussion has been archived. No new comments can be posted.

France Outlaws Hashed Passwords

Comments Filter:
  • by xtracto (837672) on Thursday April 07, 2011 @04:09AM (#35742070) Journal

    Storing passwords as hashes instead of plain text is now illegal in France,

    No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.

    It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

    Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.

    Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?

  • Re:plain-text OS? (Score:5, Informative)

    by 0100010001010011 (652467) on Thursday April 07, 2011 @04:12AM (#35742088)

    In that case. Point them to the md5 rainbow tables and store it as md5.

  • by Anonymous Coward on Thursday April 07, 2011 @04:26AM (#35742134)

    First, I'm French.
    I read the law http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT000023646013&dateTexte=&oldAction=rechJO&categorieLien=id

    You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).
    Password, and payment information, among others, must be given upon request to the authorities, but as i understand, ONLY IF THEY ARE ALREADY COLLECTED.

    Not that I think it's a "good" law, but it is not as bad as said in the article, as I understand it.

  • Re:plain-text OS? (Score:2, Informative)

    by madprof (4723) on Thursday April 07, 2011 @04:26AM (#35742140)

    The summary is wrong. The article does not actually say they can't store hashed passwords. Yet another highly inaccurate summary to throw those who have not actually read TFA.

  • by Anonymous Coward on Thursday April 07, 2011 @04:28AM (#35742150)

    Just 2 points :

    1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:

    "The password and the data used to verify it or to modify it"

    2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.

    The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need to start collecting clear-text passwords.

    Nevertheless, the decree has other major technical flaws that make it worth challenging in court. Not to mention that it could be considered in breach of European Legislation on data retention, which limits the scope of data that member states can ask to be retained.

  • by Eunuchswear (210685) on Thursday April 07, 2011 @04:31AM (#35742172) Journal

    Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.

    There's nothing on the ASIC site, nothing on http://www.laquadrature.net/ [laquadrature.net]

    All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm [zdnet.fr]

    Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.

  • Re:plain-text OS? (Score:4, Informative)

    by fredmosby (545378) on Thursday April 07, 2011 @04:39AM (#35742208)
    The article says they have to be able to provide the actual passwords. The idea behind using a hash it that the actual password isn't stored and can't be determined using the hash. That way if someone steals their data they still can't get the actual user passwords. According to the article, any secure implementation of hashed passwords would be in violation of this law.
  • by Noryungi (70322) on Thursday April 07, 2011 @04:42AM (#35742214) Homepage Journal

    You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.

    Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".

    In other words, it goes something like this:

    A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".

    B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.

    C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".

    D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.

    E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).

    Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.

    If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.

    Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)

  • Re:plain-text OS? (Score:5, Informative)

    by TheRaven64 (641858) on Thursday April 07, 2011 @05:56AM (#35742536) Journal
    It doesn't make much difference - the hash time is a constant factor, which is largely irrelevant when talking about complexity classes. The bigger advantage of using some other hash is that it's larger. For example, MD5 is 128 bits, but SHA-1 is 160 bits. This means that an SHA-1 rainbow table needs around four billion times more entries than for MD5. If storage capacity doubles every year, then an MD5 rainbow table becomes feasible 32 years before an SHA-1 rainbow table. In contrast, a constant factor slowdown is offset by a constant factor speedup (e.g. using a GPU or custom DSP).
  • Re:plain-text OS? (Score:2, Informative)

    by DarkOx (621550) on Thursday April 07, 2011 @06:36AM (#35742744) Journal

    True but the France that helped secure American independence was mostly doing so for old European conflict reasons and that France is a fair number of beheadings and other political revolutions away from the France we have today.

  • Re:well... (Score:2, Informative)

    by Bert64 (520050) <bert@slash d o t . f i renzee.com> on Thursday April 07, 2011 @06:40AM (#35742766) Homepage

    In which case, you can now authenticate with the hash instead... So the hash becomes the equivalent of plaintext, thats the worst of both worlds.. Although you do mitigate that to some degree by changing the hash each time.

  • by alexhs (877055) on Thursday April 07, 2011 @06:46AM (#35742796) Homepage Journal

    The only problem here is that it is [legifrance.gouv.fr] about the application decree (posted by an AC in this thread). The law was voted in 2004 (surprise surprise, Sarkozy was the minister of economy at that time).

    The relevant portion of the decree is :

    Les données mentionnées au II de l'article 6 de la loi du 21 juin 2004 susvisée, que les personnes sont tenues de conserver en vertu de cette disposition, sont les suivantes :
    [...]
    3 Pour les personnes mentionnées aux 1 et 2 du I du même article, les informations fournies lors de la souscription d'un contrat par un utilisateur ou lors de la création d'un compte :
    [...]
    g) Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour ;

    Translation :
    The data mentioned in Section II of Article 6 of the Act of June 21, 2004 referred to above, that individuals are required to keep under this provision are as follows:
    [...]
    3 For the persons referred to in 1 and 2 of Article I of the same, the information given upon subscription of a contract by a user or when creating an account:
    [...]
    g) The password and the information needed to verify or change it, in their latest updated version;

  • Re:plain-text OS? (Score:5, Informative)

    by CrimsonAvenger (580665) on Thursday April 07, 2011 @08:00AM (#35743116)

    Funny how Americans (you're American, right?) started making so many jokes about the French surrendering the moment France became one of the most resistant to US behaviour over Iraq.

    We were making jokes about France surrendering long before Iraq.

  • Re:plain-text OS? (Score:4, Informative)

    by ProfBooty (172603) on Thursday April 07, 2011 @09:33AM (#35743924)

    You never heard of the phrase "Cheese eating surrender monkeys" from the Simpsons in the mid 90's? The way the French are portrayed in US media, asides from their women, are typically not very positive. One could look at older US media to see so, in which Frenchmen are portrayed in the same manner in which Americans appear to be portrayed abroad.

    Anyways, a good american history class should cover where the ideas enshrined in the US constitution, Declaration of independence etc should come from. When I was in high school, they predominantly emphasised John Locke's influence though he is certainly not the only one.

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Working...