France Outlaws Hashed Passwords 433
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
plain-text OS? (Score:5, Interesting)
Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?
Re:plain-text OS? (Score:5, Insightful)
It doesn't have to be plain-text, they are just saying that it must be stored in a way that allows the plaintext to be provided on request.
I'm pretty sure AD allows you to store passwords in reversible encryption rather than hashes if you so chose.
Re:plain-text OS? (Score:5, Informative)
In that case. Point them to the md5 rainbow tables and store it as md5.
Re: (Score:2)
Re: (Score:3)
It's not bad, but it's apparently better to use a hash that was designed to be slow. MD5 is part of a family of hashes designed to be fast, to provide a digest of large byte streams which can be signed to provide non-repudiation. Hash functions like bcrypt() [wikipedia.org] have been designed to be expensive - this matters little when you are only running it once to authenticate your user, but the extra expense makes it less practical to generate rainbow tables or brute-force a known hash.
Re:plain-text OS? (Score:5, Informative)
Re: (Score:3)
For example, MD5 is 128 bits, but SHA-1 is 160 bits. This means that an SHA-1 rainbow table needs around four billion times more entries than for MD5.
I don't think so. Rather than storing the hash of every password, rainbow tables store the hash of every, say, alphanumeric password less than X characters long. The character set and the password length are set by the reduction function - see http://en.wikipedia.org/wiki/Rainbow_table [wikipedia.org] for more info. That means for a given set of possible passwords, the MD5 and SHA-1 rainbow tables will be about the same size.
Re: (Score:3)
"It's not bad, but it's apparently better to use a hash that was designed to be slow"
Even if a hash had a processing time of 1 clock-cycle, just iterating through combinations to brute-force a password would take too long. The "speed" of the hash doesn't matter, only that it doesn't give collisions easily.
The only real way a faster hash would be worse is if someone was using a non-safe password and the hacker didn't have to brute-force.
Just think about it this way, if you had a 12 char password, the hacker
Re: (Score:2)
Re: (Score:2)
Hmm, why not store it in one of the many ways available in which the method of recovery is known but prohibitively long? Or are the companies mandated to provide the passwords before the heat-death of the universe?
I never understood (Score:3)
why anyone would use an OS calling itself secure (or website for that matter) where you could "reverse" out the password. It boggles my mind that many websites already store in clear text or with grade school encryption.
As to the poster above you, it certainly would make some IBM systems I work with that are used in a web environment illegal, there is no possible way on one of the OSes used in my shop to reverse the password or crack it with access to the system. It would be far easier to just guess it base
Re: (Score:2)
Re: (Score:3)
With AD, the hash is equivalent to the plaintext anyway. There are various tools which will allow you to authenticate using the hash without ever knowing what the plaintext equivalent was.
Re: (Score:3)
Use a decent two-factor encryption.
Encrypt with public key; store that version as if it were a hash. Do authentication the normal way but instead of SHA/MD5 hashes ask for encryption with public key.
In case law enforcement asks for the passwords, use private key to decrypt them.
Of course the private key does not need to be present on the live system, indeed should be kept physically away from that system (keep the private key stored on USB keys that are locked in a safe or something like that).
Problem s
Re: (Score:3)
This is a more or less verbatim repeat of what I said to someone else, but it merits repeating here because your post addresses my response's topic head-on: the fundamental problem with that approach is that RSA and AES both include an element of random variation in the encrypted text. In other words, given a plaintext password and a public key, you can't assume that the encrypted output you get THIS time will be identical to the encrypted output you'll get NEXT time (or from a different implementation of t
Re: (Score:3)
Re: (Score:2)
I think I agree to an extent, reversible encryption in only a notch better than plain text, and some dumb policymaking politician doesn't understand technology and it doesn't mean we have to bow to such idiots at the helm. .fr pages, I don't think they will do it unless they really have to.
A very strong message would be for google to withdraw from France and stop indexing
Re:plain-text OS? (Score:5, Insightful)
If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson. That or just declare that since it's a lot of trouble to maintain multiple authentication systems, all French Citizens will have their password set to "password".
An alternative would be to start hacking and publishing password lists for France.
Re: (Score:2)
If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson.
Would that lesson be : if you cut a country off from the Internet, it magically disappears?
Re: (Score:2, Insightful)
Re:plain-text OS? (Score:5, Informative)
We were making jokes about France surrendering long before Iraq.
Re:plain-text OS? (Score:4, Informative)
You never heard of the phrase "Cheese eating surrender monkeys" from the Simpsons in the mid 90's? The way the French are portrayed in US media, asides from their women, are typically not very positive. One could look at older US media to see so, in which Frenchmen are portrayed in the same manner in which Americans appear to be portrayed abroad.
Anyways, a good american history class should cover where the ideas enshrined in the US constitution, Declaration of independence etc should come from. When I was in high school, they predominantly emphasised John Locke's influence though he is certainly not the only one.
Re: (Score:3)
Re: (Score:3)
Even during WWII, France really didn't have a choice. It was essentially surrender, and have life pretty much go on as it was, except with Wehrmacht officers sitting at a table at your cafe, versus having the country torched.
The French also had a strong, organized resistance which was an army in among itself. A person calling these guys cowards or surrender monkeys is just clueless. These guys risked not just their own lives, but their family and friends. Without these guys, and the intel they brought t
Re: (Score:3)
Funny how Americans (you're American, right?) started making so many jokes about the French surrendering the moment France became one of the most resistant to US behaviour over Iraq. Doubly amusing when you think how important French assistance was to the American forces in the war of independence.
Funny how people bring up shit that didn't happen in their lifetime as a reason we are supposed to like/dislike a country.
I don't give a fuck what France did for this country in the 1700's. I don't care what France did in the 1900's.
In the 2000's, I care. Now I don't care that France is making these stupid laws for their country, as I'll never go there, and it does NOT effect me one way or another. Honestly, I'm pretty sure most Americans don't give a fuck about france. Well, Polanski did when he f
Re: (Score:3)
> Doubly amusing when you think how important French assistance was to the American forces in the war of independence. If it wasn't for the USA you'd be speaking German right now...
If it wasn't for France the USA would be speaking English right now...
Re: (Score:3)
Re: (Score:2)
That's not remotely similar to secure; that is secure. Or at least as-secure-as. I see SHA being broken before RSA.
Re: (Score:2, Informative)
The summary is wrong. The article does not actually say they can't store hashed passwords. Yet another highly inaccurate summary to throw those who have not actually read TFA.
Re: (Score:3)
Re: (Score:2)
Re:plain-text OS? (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
If you can access all of the data in the user's account without their password, even through a backdoor, it's no more secure than if you just stored the password in plain text.
Re:plain-text OS? (Score:5, Insightful)
It would.
If the law stated this, which, of course, it doesn't. But no one apparently took time to properly read it before firing the paranoia flares.
The "password" bit is part of a data retention clause for account management. On any account that a service provider created for an on-line service or access, you must retain some data for ONE year after the account is closed. Among the bits is, I cite - translated - "password, means to validate it". And, hidden a few lines below is the clincher "such data must be retained only if it was collected".
In other words, the law states that:
1) If you get a password in plaintext and store it as is, you must KEEP a copy of that password for one year after the account has closed
2) If you get a password and store a way of validating that password (such as a hash), you must KEEP a copy of that hash or whatever for one year after the account has closed.
3) If you don't use a password for the service (for example, you are an ISP, and access from your customers to their DSL is entirely authenticated by the telco end), then you keep nothing. But for a year, of course!
Unfortunately.... (Score:5, Insightful)
Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.
Rock vs Hard Place
Re: (Score:2)
To begin with, there's a world of difference between knowing how to salt and hash passwords (very basic stuff that any developer should know) and knowing how to secure a system connected to the Internet (more of a job for dedicated security experts).
Secondly, the assumption must be that you will be hacked and that you should try to minimize impact when this happens. If the passwords are properly hashed then you (the site owner) have done the most important part of your work to ensure that when your site is
French style (Score:4, Insightful)
Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.
Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.
That reminds me of something I have noticed recently. When I studied English, I recall that the coursebook hardly mentioned England, but instead had several texts about the changes in Europe post Cold War. Now, in contrast: I've started studying French not long ago, and the book goes on and on about France. It's like they think they're the center of the world or something.
Re: (Score:2)
Or China... Or Japan... Wait Every one does it ! Only in this case, I suspect incompetence rather than evil protectionnisme... With maybe a little big-brother wannabe.
Oh well (Score:2)
A simple solution (Score:5, Funny)
I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.
The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.
And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!
Re:A simple solution (Score:5, Funny)
Luxembourg slowly started complying... by first publishing account details about French politicians! Always be careful what you ask for!
Re: (Score:2)
I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.
The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.
And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!
A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?
Re: (Score:3)
A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?
Did you just stop reading at that sentence? Did you think that anyone could seriously suggest this? The final paragaph puts it in context when the "win" for the French people was that they get to learn to care about their data security. It is a lesson that they can pass on to the government at the next election.
This is especially aimed towards the "I have got nothing to hide, so why should I care" type of person. It bad enough that the government can access the logs of what you do online, but with the passw
Re: (Score:3, Insightful)
Summary is COMPLETELY WRONG (Score:5, Informative)
Storing passwords as hashes instead of plain text is now illegal in France,
No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.
Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?
Re:Summary is COMPLETELY WRONG (Score:5, Informative)
First, I'm French.
I read the law http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT000023646013&dateTexte=&oldAction=rechJO&categorieLien=id
You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).
Password, and payment information, among others, must be given upon request to the authorities, but as i understand, ONLY IF THEY ARE ALREADY COLLECTED.
Not that I think it's a "good" law, but it is not as bad as said in the article, as I understand it.
Re:Summary is COMPLETELY WRONG (Score:4)
or just "reset" the password of the account and give it to the French police.
This tips off the target that they cops are onto them. I was going to write suspect, but assumes that this will not get abused by the government to spy on non-suspects too.
I guess the way to protect yourself from this surveillance is to change your password on a daily basis (or even twice a day). By the time that the request has been processed by the service provider and passed onto the authority, then it will already be out of date.
Re:Summary is COMPLETELY WRONG (Score:5, Insightful)
Summary isn't completely wrong, you're actually wrong.
The article specifically states that
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.
Which means that they would have to store the password, and be able to give it out to authorities.
So, to take your points:
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...
Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.
or just "reset" the password of the account and give it to the French police.
Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.
It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.
The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.
Z.
Re: (Score:2)
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a pr
Re: (Score:3)
Actually, you're wrong, but you can be excused for it, because you relied on the article. The problem is that the article is wrong.
If you actually look at the text of the law itself, it explicitly says that passwords, either plaintext or hashed, must be retained only if they are currently stored. The law doesn't tell you what you have to store, just how long you have to store it for, and requires you to give it up to the police when asked.
Here is the Babel Fish translation of the law itself: http://66.163.1 [66.163.168.225]
Re:Summary is COMPLETELY WRONG (Score:4, Insightful)
Not correct. There are lots of ways of setting up a system that can write but not read. For example, a line printer that records a transaction log. To see the password, you have to physically read the printout. You could get the same effect with a dedicated server with a single-use connection to the main server (and no internet connection! Doesn't even need to have a TCP/IP stack) and a well controlled software environment.
Goodbye GANDI (Score:2)
Well, I just finished switching my Domain registration across to GANDI.
Time to move again... jeez France.
French Data Law (Score:3)
Sadly, the restrictions in France in eCommerce are wider ranging than even this. Storing credit card information, for example, requires companies to jump through many hoops and prove data is stored in Europe. Many sites steer clear of storing credit card information. Any subscriptions (newsletters, etc) have to be kept in auditable databases and opt-out laws are strong. Sometimes this is a good thing for the end user, but it stifles intelligent lazy login systems and means billing is not as automated as it needs to be. Anti fraud measures such as 3D secure [wikipedia.org] (Verified by Visa, Mastercard Securecode) are crap in France because the banks have all adopted different ways of authenticating their clients in an online payment system (some by a challenge/response via SMS, some via one time pads, some via birthdate, etc).
Obviously legal departments are kept busy, and content publishers or eCommerce merchants end up crippling user experience because they are very likely to take a pessimistic interpretation of all the data privacy laws. So the French do what? The internet illuminati sign up for US/UK English versions of sites, or French canadian sites, whereas the average Joe just things the net is about typing in the same data all the time.
Where are the politicians with tech knowledge??? (Score:4, Insightful)
I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.
Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.
Where are the engineers and scientists willing to step up and serve their country politically? We need you.
Re: (Score:2)
I agree with you, there is a very dire need to get more various technical and scientific expertize into polit
Disputable interpretation by journalists (Score:2, Informative)
Just 2 points :
1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:
"The password and the data used to verify it or to modify it"
2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.
The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need
Re: (Score:2)
Point 2: But what constitutes "collection"? If you take a plain password to the server and hash it there it could be said that the server has collected the password (even if it didn't eventually store it anywhere more permanent than RAM).
So how about a fucking link? (Score:5, Informative)
Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.
There's nothing on the ASIC site, nothing on http://www.laquadrature.net/ [laquadrature.net]
All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm [zdnet.fr]
Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.
What on eath use do the think this will be (Score:2)
Before everyone gets too excited... (Score:5, Informative)
You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.
Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".
In other words, it goes something like this:
A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".
B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.
C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".
D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.
E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).
Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.
If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.
Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)
Re: (Score:2)
Please mod parent up, it is a sad but accurate description of how French legislative system looks like.
Re:Before everyone gets too excited... (Score:5, Informative)
The only problem here is that it is [legifrance.gouv.fr] about the application decree (posted by an AC in this thread). The law was voted in 2004 (surprise surprise, Sarkozy was the minister of economy at that time).
The relevant portion of the decree is :
Les données mentionnées au II de l'article 6 de la loi du 21 juin 2004 susvisée, que les personnes sont tenues de conserver en vertu de cette disposition, sont les suivantes : ;
[...]
3 Pour les personnes mentionnées aux 1 et 2 du I du même article, les informations fournies lors de la souscription d'un contrat par un utilisateur ou lors de la création d'un compte :
[...]
g) Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour
Translation :
The data mentioned in Section II of Article 6 of the Act of June 21, 2004 referred to above, that individuals are required to keep under this provision are as follows:
[...]
3 For the persons referred to in 1 and 2 of Article I of the same, the information given upon subscription of a contract by a user or when creating an account:
[...]
g) The password and the information needed to verify or change it, in their latest updated version;
All these comments (Score:4, Interesting)
And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.
If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.
Re: (Score:2)
Mainly because public key encryption is way too slow. What you want is generate a random symmetric key, encrypt the data you need with that, and then encrypt the symmetric key using your public key, once, and delete all other traces of the symmetric key.
The end result is still the same, just a whole lot faster.
Re: (Score:2)
Congrats, you've just described how encrypting something with GPG works. Except when you're just storing so short as a user/pass combo that's actually extra overhead. Or did you think you would encrypt all the passwords at once? And how would you then update one password or add one user? You don't *have* the other passwords as plaintext anymore and you can't recover them - if you could then anyone who rooted your login server could too. Besides, once every password reset is not much at all.
Re: (Score:2, Insightful)
You're missing the point. Sure, it is possible to securely store the user's password to where it is essentially impossible for a hacker to obtain it, but why does the French government need it to begin with? If they have the proper legal documentation, they can obtain any of the customer's data from a given site without providing the password. The whole point is that now, they can access other services used by the customer where they used the same password without obtaining a warrant. That is bad.
RTFL, read the law (Score:2)
Could people with better French than me please verify my understanding of what it says:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTE [legifrance.gouv.fr]
Re: (Score:2)
Re: (Score:2)
The password AND data to verify it or change it.
France want to unprotect the french? (Score:2)
Not storing passwords is a good system to protect people privacy and safety.
And the very idea of banning *how* you protect people with software is stupid itself.
- Is stupid, because unenforceable laws are stupid. Banning something you cant enforce is wasting everybody time.
- Is stupid because is not achieving what you probably want. If you want to be able to get the bad guys data, the bad guys can just use cleartext passwords, but cypher the actual data, so even if you get the password, you get a bunch of
Why the state needs the plain password? (Score:3)
Why they even need the plain password? The service providers have the (salted) hash of the password, with it the user can access the account. What the state agencies need is the hash and an interface to input the hash to access the user account.
Why they need even that? The service providers are storing the information on their servers anyway, why can't they give a copy of it to the state agencies?
The only reason that requires to save the plain text password is that the state agencies want to have the password in the hope that the person uses that password for other accounts. A lot of people don't bother to make up new passwords, they just think of a password and use it everywhere.
Hang on (Score:2)
Oh non... (Score:4, Funny)
Mon mot de passe est une table de hachage, vous mottes insensible!
Completely wrong (Score:3, Interesting)
The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.
The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.
Yro
Re: (Score:2)
Re: (Score:2)
Yeah, you're right. Because there is still SOMETHING they need to do, then it hasn't made their live EASIER. (Easier being the operative word here)
Also, sure, Google and Facebook might be secure, so ALL websites will be [torrentfreak.com] secure [pcworld.com].
Re: (Score:2)
It would make their live EASIER. One step is removed: That is determining passwords from the hash.
I would say that makes their lives significantly easier.
Re:well... (Score:5, Interesting)
Can't wait till the next news article after this goes live...
"There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."
Re: (Score:3)
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tr
Re:well... (Score:4, Interesting)
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tribal societies there are village elders.
Human beings need to organize. We're social creatures. When we organize in groups, it is imperative that we defend ourselves from incursions from other groups. Otherwise, the other groups will take our stuff and we will perish. The most basic groups, like the tribe, are readily destroyed by the more organized groups (like the genocide practiced on the American Indians). Big groups are subject to fragmentation (see the American Civil War). Government is never a static thing, it is a practical, seat-of-the-pants human thing.
Arguing whether government is good is like arguing whether the atmosphere is good. We need both.
Re: (Score:3, Interesting)
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
Re:well... (Score:4, Insightful)
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
RIGHT well, APART from better sanitation and medicine and education and irrigation and public health and roads and a freshwater system and baths and public order...
WHAT have the romans ever done for US?
Re: (Score:3)
So in 1000 years people will falsely credit the USA Government with the invention of the light bulb? What a shame when credit for all inventions, discoveries and accomplishments goes to whatever government had authority over the actual inventor. Why can't you wrap your mind around the fact that individuals are the source of all ideas. A government has no wisdom of it's own. It's wisdom comes from from the individuals who make it up.
No, but they might credit it and the USSR with the start of space exploration, putting a man on the moon, and so on. Sure, it's a large group of individuals that contributed to this, but that's exactly what a government is. You're argument is basically "That group of individuals has no wisdom of it's own, it's wisdom comes from the sum of individuals in the group" which is just pedantic.
Re:well... (Score:5, Insightful)
Re:well... (Score:5, Funny)
Re: (Score:3)
Well that confirms it had nothing to do with Rush Limbaugh!
ba-dum-psh!
Re:well... (Score:4, Insightful)
If they have access to the system checking the passwords though, it's still receiving the password in plaintext from the user.
Depends on the authentication scheme used. In some, only the client ever has access to the plaintext password. For example:
The other advantage of this is that the server doesn't know when the user has changed its password. The server is required to change the stored password each login, so it's impossible to steal someone's account without their knowledge, unless you get their password via some other means. If you log in, you must change their password, and the next time they log in they will discover that it's changed.
Re: (Score:3)
In which case, you can now authenticate with the hash instead.
Yes, but only once, and not without leaving a trail.
So the hash becomes the equivalent of plaintext, thats the worst of both worlds.
No it isn't. The transmitted and stored values are both only valid for a single log in. All accounts can use the same password without the server being able to recover it (the benefit of a hash), and a passive eavesdropper now only has a password that they can use once, rather than every time, and can't use undetected.
Although you do mitigate that to some degree by changing the hash each time
Which makes about as much sense as saying 'storing hashed passwords is about as secure as storing plaintext ones, although that's offset a
Re: (Score:2)
I foresee various loopholes around this - like offshoring all the web shops - or maybe it's enough to offshore the login services.
Re:well... (Score:5, Interesting)
I can see a push towards OpenID, or more realistically, Facebook/Twitter/Google authentication services in French websites.
Randomize (Score:3)
I use a password manager and unique randomly generated passwords for wherever I sign up. As far as I am aware, I don't have any accounts on servers in France, but even if I do that'd be all anybody'd be able to get access to with that password.
It did take a while to find a password manager that supported all my platforms and offered sufficient integration to not make life too difficult, but well worth it for the peace of mind.
For my local stuff (OS logins etc) I use passphrases I can actually remember and t
Re: (Score:2)
OK, Cough up. Which one do you use?
I use LastPass which seems to do the job for me though I'm always a bit scared that there may be some security issue with it.
Re: (Score:3)
I settled on 1Password. Lastpass was the only serious contender, as far as I can remember. I can't quite recall all the reasons I went with 1Password instead, but I believe user interface and sync via dropbox as opposed to Lastpass servers played a part.
I use it on my Android phone, iPad, Mac and Windows computers, all synced via dropbox. It's quite painless to use, and I couldn't be happier with it.
Re: (Score:2)
I'll make you a deal. Think that through for a bit longer, then respond as something else than AC, and I'll happily tell you which rather vital step you're missing to make your "less secure" statement true.
Re: (Score:2)
1Password. If money's an issue, check out Lastpass. Those two seem to be the major contenders.