Slashdot Mirror

← Back to Stories (view on slashdot.org)

France Outlaws Hashed Passwords

Posted by samzenpus on from the keep-your-receipt dept.

An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."

21 of 433 comments (clear)

  1. plain-text OS? by edmudama · · Score: 5, Interesting

    Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?

    --
    More data, damnit!
    1. Re:plain-text OS? by norpy · · Score: 4, Insightful

      It doesn't have to be plain-text, they are just saying that it must be stored in a way that allows the plaintext to be provided on request.

      I'm pretty sure AD allows you to store passwords in reversible encryption rather than hashes if you so chose.

    2. Re:plain-text OS? by 0100010001010011 · · Score: 5, Informative

      In that case. Point them to the md5 rainbow tables and store it as md5.

    3. Re:plain-text OS? by sjames · · Score: 4, Insightful

      If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson. That or just declare that since it's a lot of trouble to maintain multiple authentication systems, all French Citizens will have their password set to "password".

      An alternative would be to start hacking and publishing password lists for France.

    4. Re:plain-text OS? by TheRaven64 · · Score: 5, Informative

      It doesn't make much difference - the hash time is a constant factor, which is largely irrelevant when talking about complexity classes. The bigger advantage of using some other hash is that it's larger. For example, MD5 is 128 bits, but SHA-1 is 160 bits. This means that an SHA-1 rainbow table needs around four billion times more entries than for MD5. If storage capacity doubles every year, then an MD5 rainbow table becomes feasible 32 years before an SHA-1 rainbow table. In contrast, a constant factor slowdown is offset by a constant factor speedup (e.g. using a GPU or custom DSP).

      --
      I am TheRaven on Soylent News
    5. Re:plain-text OS? by CrimsonAvenger · · Score: 5, Informative

      Funny how Americans (you're American, right?) started making so many jokes about the French surrendering the moment France became one of the most resistant to US behaviour over Iraq.

      We were making jokes about France surrendering long before Iraq.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    6. Re:plain-text OS? by varcher · · Score: 5, Insightful

      It would.

      If the law stated this, which, of course, it doesn't. But no one apparently took time to properly read it before firing the paranoia flares.

      The "password" bit is part of a data retention clause for account management. On any account that a service provider created for an on-line service or access, you must retain some data for ONE year after the account is closed. Among the bits is, I cite - translated - "password, means to validate it". And, hidden a few lines below is the clincher "such data must be retained only if it was collected".

      In other words, the law states that:

      1) If you get a password in plaintext and store it as is, you must KEEP a copy of that password for one year after the account has closed

      2) If you get a password and store a way of validating that password (such as a hash), you must KEEP a copy of that hash or whatever for one year after the account has closed.

      3) If you don't use a password for the service (for example, you are an ISP, and access from your customers to their DSL is entirely authenticated by the telco end), then you keep nothing. But for a year, of course!

  2. Unfortunately.... by Anonymous Coward · · Score: 5, Insightful

    Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.

    Rock vs Hard Place

  3. French style by xonen · · Score: 4, Insightful

    If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.

    Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.

    Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law. ...? Profit!.

    --
    A glitch a day keeps the bugs away.
  4. A simple solution by Gadget_Guy · · Score: 4, Funny

    I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.

    The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.

    And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!

    1. Re:A simple solution by ArsenneLupin · · Score: 5, Funny
      Hehe, reminds me about when France leaned on Luxembourg to repeal its banking secrecy laws.

      Luxembourg slowly started complying... by first publishing account details about French politicians! Always be careful what you ask for!

  5. Summary is COMPLETELY WRONG by xtracto · · Score: 5, Informative

    Storing passwords as hashes instead of plain text is now illegal in France,

    No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.

    It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

    Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.

    Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
    1. Re:Summary is COMPLETELY WRONG by Anonymous Coward · · Score: 5, Informative

      First, I'm French.
      I read the law http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT000023646013&dateTexte=&oldAction=rechJO&categorieLien=id

      You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).
      Password, and payment information, among others, must be given upon request to the authorities, but as i understand, ONLY IF THEY ARE ALREADY COLLECTED.

      Not that I think it's a "good" law, but it is not as bad as said in the article, as I understand it.

    2. Re:Summary is COMPLETELY WRONG by LBU.Zorro · · Score: 5, Insightful

      Summary isn't completely wrong, you're actually wrong.

      The article specifically states that

      The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

      This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

      Which means that they would have to store the password, and be able to give it out to authorities.

      So, to take your points:

      It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

      Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?

      Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...

      Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.

      or just "reset" the password of the account and give it to the French police.

      Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.

      It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.

      The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.

      Z.

  6. Re:well... by definate · · Score: 5, Interesting

    Can't wait till the next news article after this goes live...

    "There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."

    --
    This is my footer. There are many like it, but this one is mine.
  7. So how about a fucking link? by Eunuchswear · · Score: 5, Informative

    Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.

    There's nothing on the ASIC site, nothing on http://www.laquadrature.net/

    All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm

    Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.

    --
    Watch this Heartland Institute video
  8. Before everyone gets too excited... by Noryungi · · Score: 5, Informative

    You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.

    Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".

    In other words, it goes something like this:

    A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".

    B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.

    C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".

    D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.

    E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).

    Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.

    If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.

    Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:Before everyone gets too excited... by alexhs · · Score: 4, Informative

      The only problem here is that it is about the application decree (posted by an AC in this thread). The law was voted in 2004 (surprise surprise, Sarkozy was the minister of economy at that time).

      The relevant portion of the decree is :

      Les données mentionnées au II de l'article 6 de la loi du 21 juin 2004 susvisée, que les personnes sont tenues de conserver en vertu de cette disposition, sont les suivantes :
      [...]
      3 Pour les personnes mentionnées aux 1 et 2 du I du même article, les informations fournies lors de la souscription d'un contrat par un utilisateur ou lors de la création d'un compte :
      [...]
      g) Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour ;

      Translation :
      The data mentioned in Section II of Article 6 of the Act of June 21, 2004 referred to above, that individuals are required to keep under this provision are as follows:
      [...]
      3 For the persons referred to in 1 and 2 of Article I of the same, the information given upon subscription of a contract by a user or when creating an account:
      [...]
      g) The password and the information needed to verify or change it, in their latest updated version;

      --
      I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  9. Re:well... by silanea · · Score: 4, Insightful

    I am pretty sure the width of horse asses varies just as wildly. Now whether there lies a correlation...

    --
    Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
  10. Re:well... by icebraining · · Score: 4, Interesting

    I can see a push towards OpenID, or more realistically, Facebook/Twitter/Google authentication services in French websites.

    --
    Dilbert RSS feed
  11. Re:well... by snspdaarf · · Score: 5, Funny

    Just looking around my office, I see a number of horse's asses, and their width is quite different.

    --
    Why, without your clothes, you're naked, Miss Dudley!