Slashdot Mirror
France Outlaws Hashed Passwords
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
That's gonna be effective...
Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?
More data, damnit!
France just made life easier for hackers.
Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.
Rock vs Hard Place
If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.
...? Profit!.
Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.
Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law.
A glitch a day keeps the bugs away.
Guess France want to go back to the stone age, If this stays, they'll try to extend it to computers as well, and then well, anything that uses a GUI will pretty much be illegal.
I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.
The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.
And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!
Storing passwords as hashes instead of plain text is now illegal in France,
No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.
Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?
Ubuntu is an African word meaning 'I can't configure Debian'
I would never give real details for anything worth it's salt anyhow... and I got good entropy on my hash at home.
thank God the internet isn't a human right.
When will law makers stop trying to make laws on technical matters they do not understand and that affect technical users?
"No, your Honor. The passwords are not hashed. They are encrypted using public key encryption. It's just that I have lost the private key..."
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I already have different level of passwords, depending of the sites or type of sites I log into... I now will be even more careful, to be sure I never use any valuable password outside of my own machines... I think my main "public" password will sound something like "F*ckSARKO".
Well, I just finished switching my Domain registration across to GANDI.
Time to move again... jeez France.
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
Sadly, the restrictions in France in eCommerce are wider ranging than even this. Storing credit card information, for example, requires companies to jump through many hoops and prove data is stored in Europe. Many sites steer clear of storing credit card information. Any subscriptions (newsletters, etc) have to be kept in auditable databases and opt-out laws are strong. Sometimes this is a good thing for the end user, but it stifles intelligent lazy login systems and means billing is not as automated as it needs to be. Anti fraud measures such as 3D secure (Verified by Visa, Mastercard Securecode) are crap in France because the banks have all adopted different ways of authenticating their clients in an online payment system (some by a challenge/response via SMS, some via one time pads, some via birthdate, etc).
Obviously legal departments are kept busy, and content publishers or eCommerce merchants end up crippling user experience because they are very likely to take a pessimistic interpretation of all the data privacy laws. So the French do what? The internet illuminati sign up for US/UK English versions of sites, or French canadian sites, whereas the average Joe just things the net is about typing in the same data all the time.
Conversion Rate Optimisation French / English consultant
I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.
I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.
Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.
Where are the engineers and scientists willing to step up and serve their country politically? We need you.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Just 2 points :
1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:
"The password and the data used to verify it or to modify it"
2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.
The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need to start collecting clear-text passwords.
Nevertheless, the decree has other major technical flaws that make it worth challenging in court. Not to mention that it could be considered in breach of European Legislation on data retention, which limits the scope of data that member states can ask to be retained.
I use a password manager and unique randomly generated passwords for wherever I sign up. As far as I am aware, I don't have any accounts on servers in France, but even if I do that'd be all anybody'd be able to get access to with that password.
It did take a while to find a password manager that supported all my platforms and offered sufficient integration to not make life too difficult, but well worth it for the peace of mind.
For my local stuff (OS logins etc) I use passphrases I can actually remember and type in by hand, of course.
Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.
There's nothing on the ASIC site, nothing on http://www.laquadrature.net/
All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm
Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.
Watch this Heartland Institute video
If an ecommerce site can lock someone's account, give full access to the authorities, or change a password (all of which can be done with hashed passwords) why would they want to know someone's actual password? This will need rewriting of most systems and OSs for no gain whatsoever.
Granted I didn't RTFA, couldn't companies comply with the law by setting a new password and giving that to police if they ask for it?
You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.
Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".
In other words, it goes something like this:
A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".
B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.
C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".
D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.
E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).
Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.
If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.
Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.
If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.
Live today, because you never know what tomorrow brings
Where did those words go?
Could people with better French than me please verify my understanding of what it says:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023646852&dateTexte=&oldAction=rechJO&categorieLien=id
All the more reason to use a Federated Identity Provider like OpenId, and authenticate against servers in another more favourable jurisdiction. Still doesn't stop sites won't handing over your data, but at least your password is safe!
I fear there's significant self-selection at work here. Would you join a political party full of people with a very different culture that you do not respect so much (and who pay lip service to yours)? Like you're an engineer, and political parties are made of lawyers and accountants as you said? Or to put it in a more colorful way, would you jump into a basket of crabs if you're not one yourself?
...) I'm not sure that the public would be very supportive of engineers or scientist willing to move into politics.
I agree with you, there is a very dire need to get more various technical and scientific expertize into politics and parliaments. But with so much energy to spend on getting elected (not fun if tech/science is what interests you) and the crowd you'd be joining, there is a very high barrier to entry in practice. And the worst is that with all the paranoia about many science based issues (nuclear, OGM,
So I guess the technical input will still be through professional lobbies for a while, and sometimes (as here) after the fact. It's by far not an ideal situation as in such case expertize is strongly biased by financial interests, but without more interest and support for science in the general public in the first place I don't see how we could get much better in practice.
Leave it to French politicians to not have a clue again.
FTFY.
Not storing passwords is a good system to protect people privacy and safety.
And the very idea of banning *how* you protect people with software is stupid itself.
- Is stupid, because unenforceable laws are stupid. Banning something you cant enforce is wasting everybody time.
- Is stupid because is not achieving what you probably want. If you want to be able to get the bad guys data, the bad guys can just use cleartext passwords, but cypher the actual data, so even if you get the password, you get a bunch of cyphered data.
So, what these laws exist for? is to peek into commercial mails from small size /medium size companies? why the France govern want to do that?
-Woof woof woof!
Why they even need the plain password? The service providers have the (salted) hash of the password, with it the user can access the account. What the state agencies need is the hash and an interface to input the hash to access the user account.
Why they need even that? The service providers are storing the information on their servers anyway, why can't they give a copy of it to the state agencies?
The only reason that requires to save the plain text password is that the state agencies want to have the password in the hope that the person uses that password for other accounts. A lot of people don't bother to make up new passwords, they just think of a password and use it everywhere.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
why anyone would use an OS calling itself secure (or website for that matter) where you could "reverse" out the password. It boggles my mind that many websites already store in clear text or with grade school encryption.
As to the poster above you, it certainly would make some IBM systems I work with that are used in a web environment illegal, there is no possible way on one of the OSes used in my shop to reverse the password or crack it with access to the system. It would be far easier to just guess it based on what is on the user's desk.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
If you are the government and can just go in and seize the server and the logs anyway, why do you need the passwords? This law makes no sense, unless they realize that many people use the same password for almost everything and want an easy way to get someone's passwords...
Seven puppies were harmed during the making of this post.
Mon mot de passe est une table de hachage, vous mottes insensible!
They must also keep a bottle of red wine, some cheese and a fresh baguette at all times in all datacenters, in case the authorities are visiting and get hungry.
"They who give up essential privacy to obtain a little..." er...
"They who give up essential security to obtain a little..." hmmm...
"They who give up essential security to lose a little privacy, get neither security nor privacy."
I'm a psychologist (amongst other things).
Don't store your data in France! I hope there is an exodus of servers and services from France to just over its borders in every direction. There is a reason that just about everyone in IT agrees that even encrypted passwords are too weak -- hell, even MD5 and related hashes aren't THAT great.
But, let's wait to see if they start outlawing locks on doors and cars next.
Looks like France is taking their technology back to a 3rd world state. Every modern OS will have to be rewritten to comply with this, if it's true.
Those Fascists, Can the plaintext passwords be in English ?
The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.
The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.
Yro
I guess they'll need a new password storing method that doesn't violate the new laws.
I suggest ROT23 encryption.
Norris Normal - Who am I?
Extension of no 2:
At some moment "accidentally lose" the private key. When law enforcment turns up get some good lawyers and fire the "responsible" (do not forget to employ the guy back when everything calms down).
First, at the time of american independence war, there was no revolution or no chance of any revolution in france.
second, 'old european conflicts' were the reasons used to persuade french throne to helping the american rebels. the public, who actually volunteered, were doing it out of revolutionary reasons. in case you do not know, the age of enlightenment mainly spread from france, with french writers and philosophers, and it was in full traction in latter part of 18th century. note that even marquis lafayette, a person who had had very important critical role in american revolution and then french revolution AND writing of declaration of the rights of man - the document which our modern societal principles are mainly based on, worldwide, including human rights statement - was also another frenchman who was deeply into new humanist revolutionary ideals. and despite he was a quite well-off marquis.
strategically and militarily, if french assistance, especially french navy wasnt there, there would be no american independence. and if lafayette was not there in yorktown, still the same.
Read radical news here
... now France. WTF Europe, is there something in the water?
If I can remember my hash password, and use THAT as my password from now on, they are just as screwed....shows people placed in political positions never have computer knowledge needed to make up the laws.
eDir stores passwords in non-reversible encrypted hashes, No way to get the passwords out of there.
~corporate tool, but employed~
What's the point of requiring postal addresses? Anyone with malicious intent is just going to enter a bogus address. Shoot, even if there's not malicious intent, people may enter bogus data just out of privacy concerns. I do it all the time. Are the companies going to required to somehow verify postal addresses?
It is unwise to ascribe motive
If the "recovered" password hashes to the same hash, it should allow you to log in, and thus appear to be the original password.
C - the footgun of programming languages
Name one that stores passwords in plaintext. France will be forced to downgrade past Windows 95 if this stands.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's li'l Napoleon and his cronies passing a law concerning "zeh indernet" and ordinateurs. What did you expect?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And believe me, on behalf of the rest of Europe (and I'm pretty sure a good deal of the Italians and French), we'd love to tell Sarkozy and Berlusconi: OUT!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Very logical. We want power. We don't want someone else to have power. Makes sense?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
France? Better? With Sarkozy on top?
You haven't spend much time following the actions of that government, have you?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And what would be in it for us? Have you looked at what it takes to get elected to even a modest political office? Every little thing you say, and every single thing that can be dug up from your and your acquiantances' past, is milked for every drop of 'scandal' it can give; and even if that were not the case, you still spend most of your time delivering the same bland speech at every little town hall, as actually taking a clear and honest stance on most issues would just make you meat for your opponents.
Why would a smart person actually do that to themselves?
I actually haven't run across any evidence of such treatment originating during WW2. I have come across writings from the period talking about how the French were "dirty" or "Ungrateful", and how GIs felt more kinship with the people and culture of Germany than France, but not any insults about being surrenderers. I think that can pretty much can be summed up in three words: Charles de Gaulle. The entire "cheese eating surrender monkeys" is just a cheap shot and did not originate during WW2 as far as I can tell. I happened later after the cold war was underway due to policy set by France and de Gaulle. First, de Gaulle thought that NATO didn't have what it took to win the cold war and the heartless Soviets would win the day, so they withdrew from NATO and went their own way. Two, France was in a big hissy to prove that they were a world power and could do anything the US could while Britain was just a US puppet and only had importance because they rode on the US coattails. They insulted Great Britain a lot, tried to throw their weight around, and did things like unilateral nuclear testing after everybody else had agreed on a ban. All of this after the Allies had freed France and given it back to the people because it was expected that we'd all be friends. It was pretty much felt as a big betrayal, so the surrender remarks are the cheap shot that is easy to make without having to actually get into real issues.
Oh the Moronity!
They will quickly back pedal when they realize that credit card discount rates will be jacked up to 20% in France to counter the increase in liability that would come with such a move.
This is why fucking government stooges and politicians shouldn't even be allowed to THINK about law that involves technology. Fucking retards.
France has mandated that they be extremely easy to hack, and outlawed modern Unix systems... Not to mention all manner of ancillary software designed to secure private data (some of which is used to comply with EU directives!)
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
if i were ebay say. id comply to keep revenues and store passwords + password history of 1year in reversible encryption like md4; except passwords must be changed weekly and each time password gets changed. it informs the user why they have to do it. Including the names of the politicians involved,
Use an off-shore tokenserver for authentication.
Privacy is terrorism.
Yes but what problem is addressed by this law?
Or is it a regulation by a bureaucrat empowered a law.
IMO: On the surface it seems to be a knee jerk reaction to
the twitter fueled/fanned revolution sweeping northern
Africa and other Muslim countries. This solution however
has consequences and repercussions that may or may
not be unintended.
The one result I see on the surface is that this retained data
is exactly the data an imposter needs. This in turn weakens
the ability to hold an individual responsible. For those that
are conspiracy nuts this is also the data that a rogue agent could
abuse to insert (or delete) data to promote his cause.
But hay, we all know that roads, railroads and now regulations
are two horses asses wide. And we also know that hay becomes.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
This is an excellent example of a situation where outsourcing authentication would be a good idea. Every now and then, a paranoid politician comes up with a clever idea on "how to catch criminals". It's a good thing we have the technology to ignore their absurd requests.