Forgot your password?
typodupeerror
Security Your Rights Online

France Outlaws Hashed Passwords 433

Posted by samzenpus
from the keep-your-receipt dept.
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
This discussion has been archived. No new comments can be posted.

France Outlaws Hashed Passwords

Comments Filter:
  • plain-text OS? (Score:5, Interesting)

    by edmudama (155475) on Thursday April 07, 2011 @03:55AM (#35742012)

    Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?

    • Re:plain-text OS? (Score:5, Insightful)

      by norpy (1277318) on Thursday April 07, 2011 @04:01AM (#35742030)

      It doesn't have to be plain-text, they are just saying that it must be stored in a way that allows the plaintext to be provided on request.

      I'm pretty sure AD allows you to store passwords in reversible encryption rather than hashes if you so chose.

      • Re:plain-text OS? (Score:5, Informative)

        by 0100010001010011 (652467) on Thursday April 07, 2011 @04:12AM (#35742088)

        In that case. Point them to the md5 rainbow tables and store it as md5.

        • by Yvanhoe (564877)
          Well, if you use md5 you may as well store them in plaintext indeed.
      • by l0b0 (803611)

        Hmm, why not store it in one of the many ways available in which the method of recovery is known but prohibitively long? Or are the companies mandated to provide the passwords before the heat-death of the universe?

      • why anyone would use an OS calling itself secure (or website for that matter) where you could "reverse" out the password. It boggles my mind that many websites already store in clear text or with grade school encryption.

        As to the poster above you, it certainly would make some IBM systems I work with that are used in a web environment illegal, there is no possible way on one of the OSes used in my shop to reverse the password or crack it with access to the system. It would be far easier to just guess it base

        • by delinear (991444)
          It would be nice if sites had some level of certification for things like password storage, perhaps as part of the SSL certification, so as a user I can see at a glance how secure/insecure a particular site really is (and if they tell me they're storing an enecrypted/hashed password but it's actually cleartext there should be serious legal/financial consequences).
      • by Bert64 (520050)

        With AD, the hash is equivalent to the plaintext anyway. There are various tools which will allow you to authenticate using the hash without ever knowing what the plaintext equivalent was.

      • by wvmarle (1070040)

        Use a decent two-factor encryption.

        Encrypt with public key; store that version as if it were a hash. Do authentication the normal way but instead of SHA/MD5 hashes ask for encryption with public key.

        In case law enforcement asks for the passwords, use private key to decrypt them.

        Of course the private key does not need to be present on the live system, indeed should be kept physically away from that system (keep the private key stored on USB keys that are locked in a safe or something like that).

        Problem s

        • This is a more or less verbatim repeat of what I said to someone else, but it merits repeating here because your post addresses my response's topic head-on: the fundamental problem with that approach is that RSA and AES both include an element of random variation in the encrypted text. In other words, given a plaintext password and a public key, you can't assume that the encrypted output you get THIS time will be identical to the encrypted output you'll get NEXT time (or from a different implementation of t

      • In other words, it requires them to store the password in a way that makes it easier for identity thieves who get access to thier systems to crack the password.
    • Re: (Score:2, Informative)

      by madprof (4723)

      The summary is wrong. The article does not actually say they can't store hashed passwords. Yet another highly inaccurate summary to throw those who have not actually read TFA.

      • by piripiri (1476949)
        You must be new here.
      • Re:plain-text OS? (Score:4, Informative)

        by fredmosby (545378) on Thursday April 07, 2011 @04:39AM (#35742208)
        The article says they have to be able to provide the actual passwords. The idea behind using a hash it that the actual password isn't stored and can't be determined using the hash. That way if someone steals their data they still can't get the actual user passwords. According to the article, any secure implementation of hashed passwords would be in violation of this law.
    • Re:plain-text OS? (Score:5, Insightful)

      by varcher (156670) on Thursday April 07, 2011 @08:55AM (#35743524)

      It would.

      If the law stated this, which, of course, it doesn't. But no one apparently took time to properly read it before firing the paranoia flares.

      The "password" bit is part of a data retention clause for account management. On any account that a service provider created for an on-line service or access, you must retain some data for ONE year after the account is closed. Among the bits is, I cite - translated - "password, means to validate it". And, hidden a few lines below is the clincher "such data must be retained only if it was collected".

      In other words, the law states that:

      1) If you get a password in plaintext and store it as is, you must KEEP a copy of that password for one year after the account has closed

      2) If you get a password and store a way of validating that password (such as a hash), you must KEEP a copy of that hash or whatever for one year after the account has closed.

      3) If you don't use a password for the service (for example, you are an ISP, and access from your customers to their DSL is entirely authenticated by the telco end), then you keep nothing. But for a year, of course!

  • Unfortunately.... (Score:5, Insightful)

    by Anonymous Coward on Thursday April 07, 2011 @04:00AM (#35742026)

    Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.

    Rock vs Hard Place

    • To begin with, there's a world of difference between knowing how to salt and hash passwords (very basic stuff that any developer should know) and knowing how to secure a system connected to the Internet (more of a job for dedicated security experts).

      Secondly, the assumption must be that you will be hacked and that you should try to minimize impact when this happens. If the passwords are properly hashed then you (the site owner) have done the most important part of your work to ensure that when your site is

  • French style (Score:4, Insightful)

    by xonen (774419) on Thursday April 07, 2011 @04:01AM (#35742028) Journal
    If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.

    Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.

    Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law. ...? Profit!.
    • Re: (Score:3, Insightful)

      by YoopDaDum (1998474)
      "Never attribute to malice that which is adequately explained by stupidity". Politics in France are particularly clueless about technology. Worse, they think they know it all because they had some cute web site with streaming video being designed for them. And someone who think he's good without having a clue is dangerous indeed. The current France government is full swing in security posturing, without much concern for the practical consequences that are not so clear to them anyway. All this is enough to e
    • Please replace "The French don't like..." by "The French government don't like...". In addition, you can add "The French don't like their government", as they are only working for large corporations now, without even trying to hide this fact.
    • The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.

      That reminds me of something I have noticed recently. When I studied English, I recall that the coursebook hardly mentioned England, but instead had several texts about the changes in Europe post Cold War. Now, in contrast: I've started studying French not long ago, and the book goes on and on about France. It's like they think they're the center of the world or something.

  • Guess France want to go back to the stone age, If this stays, they'll try to extend it to computers as well, and then well, anything that uses a GUI will pretty much be illegal.
  • by Gadget_Guy (627405) * on Thursday April 07, 2011 @04:07AM (#35742062)

    I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.

    The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.

    And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!

    • by ArsenneLupin (766289) on Thursday April 07, 2011 @04:22AM (#35742118)
      Hehe, reminds me about when France leaned on Luxembourg to repeal its banking secrecy laws.

      Luxembourg slowly started complying... by first publishing account details about French politicians! Always be careful what you ask for!

    • I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.

      The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.

      And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!

      A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?

      • A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?

        Did you just stop reading at that sentence? Did you think that anyone could seriously suggest this? The final paragaph puts it in context when the "win" for the French people was that they get to learn to care about their data security. It is a lesson that they can pass on to the government at the next election.

        This is especially aimed towards the "I have got nothing to hide, so why should I care" type of person. It bad enough that the government can access the logs of what you do online, but with the passw

  • by xtracto (837672) on Thursday April 07, 2011 @04:09AM (#35742070) Journal

    Storing passwords as hashes instead of plain text is now illegal in France,

    No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.

    It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

    Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.

    Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?

    • by Anonymous Coward on Thursday April 07, 2011 @04:26AM (#35742134)

      First, I'm French.
      I read the law http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT000023646013&dateTexte=&oldAction=rechJO&categorieLien=id

      You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).
      Password, and payment information, among others, must be given upon request to the authorities, but as i understand, ONLY IF THEY ARE ALREADY COLLECTED.

      Not that I think it's a "good" law, but it is not as bad as said in the article, as I understand it.

    • by Gadget_Guy (627405) * on Thursday April 07, 2011 @05:00AM (#35742344)

      or just "reset" the password of the account and give it to the French police.

      This tips off the target that they cops are onto them. I was going to write suspect, but assumes that this will not get abused by the government to spy on non-suspects too.

      I guess the way to protect yourself from this surveillance is to change your password on a daily basis (or even twice a day). By the time that the request has been processed by the service provider and passed onto the authority, then it will already be out of date.

    • by LBU.Zorro (585180) on Thursday April 07, 2011 @05:09AM (#35742376)

      Summary isn't completely wrong, you're actually wrong.

      The article specifically states that

      The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

      This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

      Which means that they would have to store the password, and be able to give it out to authorities.

      So, to take your points:

      It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

      Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?

      Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...

      Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.

      or just "reset" the password of the account and give it to the French police.

      Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.

      It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.

      The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.

      Z.

      • by BeTeK (2035870)

        It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

        Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a pr

      • by Rary (566291)

        Actually, you're wrong, but you can be excused for it, because you relied on the article. The problem is that the article is wrong.

        If you actually look at the text of the law itself, it explicitly says that passwords, either plaintext or hashed, must be retained only if they are currently stored. The law doesn't tell you what you have to store, just how long you have to store it for, and requires you to give it up to the police when asked.

        Here is the Babel Fish translation of the law itself: http://66.163.1 [66.163.168.225]

  • Well, I just finished switching my Domain registration across to GANDI.

    Time to move again... jeez France.

  • by fruey (563914) on Thursday April 07, 2011 @04:26AM (#35742142) Homepage Journal

    Sadly, the restrictions in France in eCommerce are wider ranging than even this. Storing credit card information, for example, requires companies to jump through many hoops and prove data is stored in Europe. Many sites steer clear of storing credit card information. Any subscriptions (newsletters, etc) have to be kept in auditable databases and opt-out laws are strong. Sometimes this is a good thing for the end user, but it stifles intelligent lazy login systems and means billing is not as automated as it needs to be. Anti fraud measures such as 3D secure [wikipedia.org] (Verified by Visa, Mastercard Securecode) are crap in France because the banks have all adopted different ways of authenticating their clients in an online payment system (some by a challenge/response via SMS, some via one time pads, some via birthdate, etc).

    Obviously legal departments are kept busy, and content publishers or eCommerce merchants end up crippling user experience because they are very likely to take a pessimistic interpretation of all the data privacy laws. So the French do what? The internet illuminati sign up for US/UK English versions of sites, or French canadian sites, whereas the average Joe just things the net is about typing in the same data all the time.

  • by niftydude (1745144) on Thursday April 07, 2011 @04:27AM (#35742144)
    I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.

    I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.

    Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.

    Where are the engineers and scientists willing to step up and serve their country politically? We need you.
    • I fear there's significant self-selection at work here. Would you join a political party full of people with a very different culture that you do not respect so much (and who pay lip service to yours)? Like you're an engineer, and political parties are made of lawyers and accountants as you said? Or to put it in a more colorful way, would you jump into a basket of crabs if you're not one yourself?

      I agree with you, there is a very dire need to get more various technical and scientific expertize into polit
  • by Anonymous Coward

    Just 2 points :

    1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:

    "The password and the data used to verify it or to modify it"

    2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.

    The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need

    • by asdf7890 (1518587)
      Point 1: While requiring that the plain password be stored does not stop hashed+salted passwords being stored, it does defeat the purpose of the hash. So they are not banned by the law, just made pointless by complying with the law.

      Point 2: But what constitutes "collection"? If you take a plain password to the server and hash it there it could be said that the server has collected the password (even if it didn't eventually store it anywhere more permanent than RAM).
  • by Eunuchswear (210685) on Thursday April 07, 2011 @04:31AM (#35742172) Journal

    Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.

    There's nothing on the ASIC site, nothing on http://www.laquadrature.net/ [laquadrature.net]

    All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm [zdnet.fr]

    Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.

  • If an ecommerce site can lock someone's account, give full access to the authorities, or change a password (all of which can be done with hashed passwords) why would they want to know someone's actual password? This will need rewriting of most systems and OSs for no gain whatsoever.
  • by Noryungi (70322) on Thursday April 07, 2011 @04:42AM (#35742214) Homepage Journal

    You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.

    Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".

    In other words, it goes something like this:

    A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".

    B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.

    C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".

    D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.

    E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).

    Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.

    If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.

    Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)

    • Please mod parent up, it is a sad but accurate description of how French legislative system looks like.

    • by alexhs (877055) on Thursday April 07, 2011 @06:46AM (#35742796) Homepage Journal

      The only problem here is that it is [legifrance.gouv.fr] about the application decree (posted by an AC in this thread). The law was voted in 2004 (surprise surprise, Sarkozy was the minister of economy at that time).

      The relevant portion of the decree is :

      Les données mentionnées au II de l'article 6 de la loi du 21 juin 2004 susvisée, que les personnes sont tenues de conserver en vertu de cette disposition, sont les suivantes :
      [...]
      3 Pour les personnes mentionnées aux 1 et 2 du I du même article, les informations fournies lors de la souscription d'un contrat par un utilisateur ou lors de la création d'un compte :
      [...]
      g) Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour ;

      Translation :
      The data mentioned in Section II of Article 6 of the Act of June 21, 2004 referred to above, that individuals are required to keep under this provision are as follows:
      [...]
      3 For the persons referred to in 1 and 2 of Article I of the same, the information given upon subscription of a contract by a user or when creating an account:
      [...]
      g) The password and the information needed to verify or change it, in their latest updated version;

  • All these comments (Score:4, Interesting)

    by Kjella (173770) on Thursday April 07, 2011 @04:44AM (#35742228) Homepage

    And nobody sees this is easy to implement and perfectly safe.
    1. Create a GPG key pair
    2. Put the public key on the login server, the private key in a safe.
    3. When setting the password, encrypt the plaintext password with the public key.

    If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.

    • Mainly because public key encryption is way too slow. What you want is generate a random symmetric key, encrypt the data you need with that, and then encrypt the symmetric key using your public key, once, and delete all other traces of the symmetric key.

      The end result is still the same, just a whole lot faster.

      • by Kjella (173770)

        Congrats, you've just described how encrypting something with GPG works. Except when you're just storing so short as a user/pass combo that's actually extra overhead. Or did you think you would encrypt all the passwords at once? And how would you then update one password or add one user? You don't *have* the other passwords as plaintext anymore and you can't recover them - if you could then anyone who rooted your login server could too. Besides, once every password reset is not much at all.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You're missing the point. Sure, it is possible to securely store the user's password to where it is essentially impossible for a hacker to obtain it, but why does the French government need it to begin with? If they have the proper legal documentation, they can obtain any of the customer's data from a given site without providing the password. The whole point is that now, they can access other services used by the customer where they used the same password without obtaining a warrant. That is bad.

  • I suspect the OP did not verify the exact wording. The law requires retention of (among other things) "mot de passe ou données permettant de le vérifier ou de le modifie" (password *or* data to verify it *or* change it) so it seems that it would be enough to store the password hash and/or do a password reset when demanded by the law enforcement guys.

    Could people with better French than me please verify my understanding of what it says:

    http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTE [legifrance.gouv.fr]

    • by scsirob (246572)

      How is this any better than requiring every citizen to give a copy of their keys to their home, *or* permission to change the locks to the authorities, so the authorities can roam around at will?

      This is bloody stupid. All eCommerce companies not hosted in France should immediately and abruptly stop service to the entire French IP range. Today. Let's see them wiggle their way out of *that*..

    • by ei4anb (625481)
      oops, upon further reading I realize the law is http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023646013&categorieLien=id [legifrance.gouv.fr] That does indeed state: "Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour"

      The password AND data to verify it or change it.

  • Not storing passwords is a good system to protect people privacy and safety.

    And the very idea of banning *how* you protect people with software is stupid itself.

    - Is stupid, because unenforceable laws are stupid. Banning something you cant enforce is wasting everybody time.
    - Is stupid because is not achieving what you probably want. If you want to be able to get the bad guys data, the bad guys can just use cleartext passwords, but cypher the actual data, so even if you get the password, you get a bunch of

  • by devent (1627873) on Thursday April 07, 2011 @05:39AM (#35742478) Homepage

    Why they even need the plain password? The service providers have the (salted) hash of the password, with it the user can access the account. What the state agencies need is the hash and an interface to input the hash to access the user account.

    Why they need even that? The service providers are storing the information on their servers anyway, why can't they give a copy of it to the state agencies?

    The only reason that requires to save the plain text password is that the state agencies want to have the password in the hope that the person uses that password for other accounts. A lot of people don't bother to make up new passwords, they just think of a password and use it everywhere.

  • If you are the government and can just go in and seize the server and the logs anyway, why do you need the passwords? This law makes no sense, unless they realize that many people use the same password for almost everything and want an easy way to get someone's passwords...
  • Oh non... (Score:4, Funny)

    by muckracer (1204794) on Thursday April 07, 2011 @06:41AM (#35742770)

    Mon mot de passe est une table de hachage, vous mottes insensible!

  • Completely wrong (Score:3, Interesting)

    by yro (470681) on Thursday April 07, 2011 @08:10AM (#35743168)

    The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
    Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.

    The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.

    Yro

"It's like deja vu all over again." -- Yogi Berra

Working...