Slashdot Mirror
France Outlaws Hashed Passwords
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?
More data, damnit!
Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.
Rock vs Hard Place
If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.
...? Profit!.
Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.
Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law.
A glitch a day keeps the bugs away.
I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.
The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.
And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!
Storing passwords as hashes instead of plain text is now illegal in France,
No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.
Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?
Ubuntu is an African word meaning 'I can't configure Debian'
Can't wait till the next news article after this goes live...
"There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."
This is my footer. There are many like it, but this one is mine.
Sadly, the restrictions in France in eCommerce are wider ranging than even this. Storing credit card information, for example, requires companies to jump through many hoops and prove data is stored in Europe. Many sites steer clear of storing credit card information. Any subscriptions (newsletters, etc) have to be kept in auditable databases and opt-out laws are strong. Sometimes this is a good thing for the end user, but it stifles intelligent lazy login systems and means billing is not as automated as it needs to be. Anti fraud measures such as 3D secure (Verified by Visa, Mastercard Securecode) are crap in France because the banks have all adopted different ways of authenticating their clients in an online payment system (some by a challenge/response via SMS, some via one time pads, some via birthdate, etc).
Obviously legal departments are kept busy, and content publishers or eCommerce merchants end up crippling user experience because they are very likely to take a pessimistic interpretation of all the data privacy laws. So the French do what? The internet illuminati sign up for US/UK English versions of sites, or French canadian sites, whereas the average Joe just things the net is about typing in the same data all the time.
Conversion Rate Optimisation French / English consultant
I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.
I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.
Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.
Where are the engineers and scientists willing to step up and serve their country politically? We need you.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Just 2 points :
1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:
"The password and the data used to verify it or to modify it"
2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.
The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need to start collecting clear-text passwords.
Nevertheless, the decree has other major technical flaws that make it worth challenging in court. Not to mention that it could be considered in breach of European Legislation on data retention, which limits the scope of data that member states can ask to be retained.
I use a password manager and unique randomly generated passwords for wherever I sign up. As far as I am aware, I don't have any accounts on servers in France, but even if I do that'd be all anybody'd be able to get access to with that password.
It did take a while to find a password manager that supported all my platforms and offered sufficient integration to not make life too difficult, but well worth it for the peace of mind.
For my local stuff (OS logins etc) I use passphrases I can actually remember and type in by hand, of course.
Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.
There's nothing on the ASIC site, nothing on http://www.laquadrature.net/
All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm
Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.
Watch this Heartland Institute video
You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.
Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".
In other words, it goes something like this:
A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".
B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.
C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".
D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.
E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).
Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.
If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.
Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.
If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.
Live today, because you never know what tomorrow brings
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I fear there's significant self-selection at work here. Would you join a political party full of people with a very different culture that you do not respect so much (and who pay lip service to yours)? Like you're an engineer, and political parties are made of lawyers and accountants as you said? Or to put it in a more colorful way, would you jump into a basket of crabs if you're not one yourself?
...) I'm not sure that the public would be very supportive of engineers or scientist willing to move into politics.
I agree with you, there is a very dire need to get more various technical and scientific expertize into politics and parliaments. But with so much energy to spend on getting elected (not fun if tech/science is what interests you) and the crowd you'd be joining, there is a very high barrier to entry in practice. And the worst is that with all the paranoia about many science based issues (nuclear, OGM,
So I guess the technical input will still be through professional lobbies for a while, and sometimes (as here) after the fact. It's by far not an ideal situation as in such case expertize is strongly biased by financial interests, but without more interest and support for science in the general public in the first place I don't see how we could get much better in practice.
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
RIGHT well, APART from better sanitation and medicine and education and irrigation and public health and roads and a freshwater system and baths and public order...
WHAT have the romans ever done for US?
Why they even need the plain password? The service providers have the (salted) hash of the password, with it the user can access the account. What the state agencies need is the hash and an interface to input the hash to access the user account.
Why they need even that? The service providers are storing the information on their servers anyway, why can't they give a copy of it to the state agencies?
The only reason that requires to save the plain text password is that the state agencies want to have the password in the hope that the person uses that password for other accounts. A lot of people don't bother to make up new passwords, they just think of a password and use it everywhere.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
If they have access to the system checking the passwords though, it's still receiving the password in plaintext from the user.
Depends on the authentication scheme used. In some, only the client ever has access to the plaintext password. For example:
The other advantage of this is that the server doesn't know when the user has changed its password. The server is required to change the stored password each login, so it's impossible to steal someone's account without their knowledge, unless you get their password via some other means. If you log in, you must change their password, and the next time they log in they will discover that it's changed.
I am TheRaven on Soylent News
I am pretty sure the width of horse asses varies just as wildly. Now whether there lies a correlation...
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
why anyone would use an OS calling itself secure (or website for that matter) where you could "reverse" out the password. It boggles my mind that many websites already store in clear text or with grade school encryption.
As to the poster above you, it certainly would make some IBM systems I work with that are used in a web environment illegal, there is no possible way on one of the OSes used in my shop to reverse the password or crack it with access to the system. It would be far easier to just guess it based on what is on the user's desk.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Mon mot de passe est une table de hachage, vous mottes insensible!
I can see a push towards OpenID, or more realistically, Facebook/Twitter/Google authentication services in French websites.
Dilbert RSS feed
In which case, you can now authenticate with the hash instead.
Yes, but only once, and not without leaving a trail.
So the hash becomes the equivalent of plaintext, thats the worst of both worlds.
No it isn't. The transmitted and stored values are both only valid for a single log in. All accounts can use the same password without the server being able to recover it (the benefit of a hash), and a passive eavesdropper now only has a password that they can use once, rather than every time, and can't use undetected.
Although you do mitigate that to some degree by changing the hash each time
Which makes about as much sense as saying 'storing hashed passwords is about as secure as storing plaintext ones, although that's offset a bit by hashing them'. When it comes to algorithms related to security, you can't just look at part of them in isolation - this system was designed and reviewed quite carefully (search and you'll find a lot of places using it), you aren't meant to just take a couple of steps, throw them into a system, and say 'yup, that's secure'.
I am TheRaven on Soylent News
The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.
The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.
Yro
Well that confirms it had nothing to do with Rush Limbaugh!
ba-dum-psh!
So in 1000 years people will falsely credit the USA Government with the invention of the light bulb? What a shame when credit for all inventions, discoveries and accomplishments goes to whatever government had authority over the actual inventor. Why can't you wrap your mind around the fact that individuals are the source of all ideas. A government has no wisdom of it's own. It's wisdom comes from from the individuals who make it up.
No, but they might credit it and the USSR with the start of space exploration, putting a man on the moon, and so on. Sure, it's a large group of individuals that contributed to this, but that's exactly what a government is. You're argument is basically "That group of individuals has no wisdom of it's own, it's wisdom comes from the sum of individuals in the group" which is just pedantic.
Just looking around my office, I see a number of horse's asses, and their width is quite different.
Why, without your clothes, you're naked, Miss Dudley!
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tribal societies there are village elders.
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tribal societies there are village elders.
Human beings need to organize. We're social creatures. When we organize in groups, it is imperative that we defend ourselves from incursions from other groups. Otherwise, the other groups will take our stuff and we will perish. The most basic groups, like the tribe, are readily destroyed by the more organized groups (like the genocide practiced on the American Indians). Big groups are subject to fragmentation (see the American Civil War). Government is never a static thing, it is a practical, seat-of-the-pants human thing.
Arguing whether government is good is like arguing whether the atmosphere is good. We need both.