France Outlaws Hashed Passwords 433
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
plain-text OS? (Score:5, Interesting)
Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?
Re:well... (Score:5, Interesting)
Can't wait till the next news article after this goes live...
"There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."
All these comments (Score:4, Interesting)
And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.
If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.
Re:well... (Score:3, Interesting)
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
Re:well... (Score:5, Interesting)
I can see a push towards OpenID, or more realistically, Facebook/Twitter/Google authentication services in French websites.
Completely wrong (Score:3, Interesting)
The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.
The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.
Yro
Re:well... (Score:4, Interesting)
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tribal societies there are village elders.
Human beings need to organize. We're social creatures. When we organize in groups, it is imperative that we defend ourselves from incursions from other groups. Otherwise, the other groups will take our stuff and we will perish. The most basic groups, like the tribe, are readily destroyed by the more organized groups (like the genocide practiced on the American Indians). Big groups are subject to fragmentation (see the American Civil War). Government is never a static thing, it is a practical, seat-of-the-pants human thing.
Arguing whether government is good is like arguing whether the atmosphere is good. We need both.