Slashdot Mirror
France Outlaws Hashed Passwords
An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."
Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?
More data, damnit!
Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.
Rock vs Hard Place
If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.
...? Profit!.
Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.
Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law.
A glitch a day keeps the bugs away.
I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.
The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.
And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!
Storing passwords as hashes instead of plain text is now illegal in France,
No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.
It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...
Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.
Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?
Ubuntu is an African word meaning 'I can't configure Debian'
Can't wait till the next news article after this goes live...
"There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."
This is my footer. There are many like it, but this one is mine.
I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.
I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.
Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.
Where are the engineers and scientists willing to step up and serve their country politically? We need you.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.
There's nothing on the ASIC site, nothing on http://www.laquadrature.net/
All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm
Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.
Watch this Heartland Institute video
You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.
Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".
In other words, it goes something like this:
A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".
B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.
C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".
D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.
E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).
Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.
If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.
Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.
If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.
Live today, because you never know what tomorrow brings
Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.
RIGHT well, APART from better sanitation and medicine and education and irrigation and public health and roads and a freshwater system and baths and public order...
WHAT have the romans ever done for US?
If they have access to the system checking the passwords though, it's still receiving the password in plaintext from the user.
Depends on the authentication scheme used. In some, only the client ever has access to the plaintext password. For example:
The other advantage of this is that the server doesn't know when the user has changed its password. The server is required to change the stored password each login, so it's impossible to steal someone's account without their knowledge, unless you get their password via some other means. If you log in, you must change their password, and the next time they log in they will discover that it's changed.
I am TheRaven on Soylent News
I am pretty sure the width of horse asses varies just as wildly. Now whether there lies a correlation...
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
Mon mot de passe est une table de hachage, vous mottes insensible!
I can see a push towards OpenID, or more realistically, Facebook/Twitter/Google authentication services in French websites.
Dilbert RSS feed
The "decret d'application" of the law (it's a law from 2004 but not applicable before this "decret") doesn't prohibit hashed password. It's a misinterpretation of the decret.
Actually, it states that IF you store the password in clear text for authentication, you have to keep the password in clear text in your logs during a year. But IF you store a hashed version of the password, you have to log the last hashed used. And if you don't store your users' password (logged via facebook or other centralized authentication) you don't have to.
The decret only specify what to keep in the logs IF the information is already known and stored. It doesn't specify WHAT to store. What to store is specified by a EU directive.
Yro
Just looking around my office, I see a number of horse's asses, and their width is quite different.
Why, without your clothes, you're naked, Miss Dudley!
Government's a lot like religion. It's done so many bad things that a huge amount of ignorant people think the world would be better off without it. If you care at all to get your head out of your ass, you'll realize that it's done an incredible amount of unequaled good, too, between its short spurts of horrifically bad, though.
Also like religion, it's a basic need of the world at large. Try as you might to replace it with something else or even nothing it all, it'll always come creeping back in/ Even in tribal societies there are village elders.
Human beings need to organize. We're social creatures. When we organize in groups, it is imperative that we defend ourselves from incursions from other groups. Otherwise, the other groups will take our stuff and we will perish. The most basic groups, like the tribe, are readily destroyed by the more organized groups (like the genocide practiced on the American Indians). Big groups are subject to fragmentation (see the American Civil War). Government is never a static thing, it is a practical, seat-of-the-pants human thing.
Arguing whether government is good is like arguing whether the atmosphere is good. We need both.