France Outlaws Hashed Passwords
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.
Rock vs Hard Place
Summary isn't completely wrong, you're actually wrong.
The article specifically states that
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.
Which means that they would have to store the password, and be able to give it out to authorities.
So, to take your points:
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...
Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.
or just "reset" the password of the account and give it to the French police.
Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.
It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.
The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.
Z.
It would.
If the law stated this, which, of course, it doesn't. But no one apparently took time to properly read it before firing the paranoia flares.
The "password" bit is part of a data retention clause for account management. On any account that a service provider created for an on-line service or access, you must retain some data for ONE year after the account is closed. Among the bits is, I cite - translated - "password, means to validate it". And, hidden a few lines below is the clincher "such data must be retained only if it was collected".
In other words, the law states that:
1) If you get a password in plaintext and store it as is, you must KEEP a copy of that password for one year after the account has closed
2) If you get a password and store a way of validating that password (such as a hash), you must KEEP a copy of that hash or whatever for one year after the account has closed.
3) If you don't use a password for the service (for example, you are an ISP, and access from your customers to their DSL is entirely authenticated by the telco end), then you keep nothing. But for a year, of course!