×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

France Outlaws Hashed Passwords

samzenpus posted more than 3 years ago | from the keep-your-receipt dept.

Security 433

An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."

Sorry! There are no comments related to the filter you selected.

well... (1)

spliffington (1130983) | more than 3 years ago | (#35742006)

That's gonna be effective...

Re:well... (5, Interesting)

definate (876684) | more than 3 years ago | (#35742112)

Can't wait till the next news article after this goes live...

"There has been a sudden increase in credit card fraud in France of late, due to users using the same password on every different system. So when a .fr site is hacked or an employee goes rogue, suddenly you get a lot more than you originally bargained for."

Re:well... (1)

MyLeftSock (2030502) | more than 3 years ago | (#35742182)

Name one time government did any good.

AKA, What did the Romans ever do for us?

Re:well... (2, Interesting)

Z00L00K (682162) | more than 3 years ago | (#35742290)

Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.

Re:well... (3, Insightful)

gilleain (1310105) | more than 3 years ago | (#35742402)

Railroad tracks are defined to be 2 horse asses wide, which actually has a history back to the Roman empire.

RIGHT well, APART from better sanitation and medicine and education and irrigation and public health and roads and a freshwater system and baths and public order...

WHAT have the romans ever done for US?

Re:well... (0)

ElectricTurtle (1171201) | more than 3 years ago | (#35742480)

Please stop propagating debunked myths [snopes.com] , thanks. Railroad track gauges [wikipedia.org] vary widely around the world.

Re:well... (0)

Anonymous Coward | more than 3 years ago | (#35742410)

Of course the use of hashed passwords doesn't protect you from that completely. Yes, it protects you if they get the information from the database.

If they have access to the system checking the passwords though, it's still receiving the password in plaintext from the user. It'd therefore be possible to modify the system that hashes the submitted password and compares it to the stored one so that if it matches it also writes it to a file/sends it to the attacker. At least that's likely to be noticed far more easily than a database dump though.

Re:well... (0)

Anonymous Coward | more than 3 years ago | (#35742258)

It's effective insofar that I will no longer do business with French companies online. Storing passwords in plain-text is simply way too insecure.

Re:well... (1)

Z00L00K (682162) | more than 3 years ago | (#35742310)

I foresee various loopholes around this - like offshoring all the web shops - or maybe it's enough to offshore the login services.

plain-text OS? (5, Interesting)

edmudama (155475) | more than 3 years ago | (#35742012)

Doesn't this make most operating systems illegal? Who doesn't store the password as a hashed copy?

Re:plain-text OS? (4, Insightful)

norpy (1277318) | more than 3 years ago | (#35742030)

It doesn't have to be plain-text, they are just saying that it must be stored in a way that allows the plaintext to be provided on request.

I'm pretty sure AD allows you to store passwords in reversible encryption rather than hashes if you so chose.

Re:plain-text OS? (5, Informative)

0100010001010011 (652467) | more than 3 years ago | (#35742088)

In that case. Point them to the md5 rainbow tables and store it as md5.

Re:plain-text OS? (1)

Yvanhoe (564877) | more than 3 years ago | (#35742244)

Well, if you use md5 you may as well store them in plaintext indeed.

Re:plain-text OS? (1)

aaron552 (1621603) | more than 3 years ago | (#35742398)

I was under the impression that salted MD5 (with a good salt, in a well-designed system) is reasonably secure.

Re:plain-text OS? (2)

Dr_Barnowl (709838) | more than 3 years ago | (#35742438)

It's not bad, but it's apparently better to use a hash that was designed to be slow. MD5 is part of a family of hashes designed to be fast, to provide a digest of large byte streams which can be signed to provide non-repudiation. Hash functions like bcrypt() [wikipedia.org] have been designed to be expensive - this matters little when you are only running it once to authenticate your user, but the extra expense makes it less practical to generate rainbow tables or brute-force a known hash.

Re:plain-text OS? (1)

Anonymous Coward | more than 3 years ago | (#35742092)

Well if you store them with reversible encryption, that's effectively the same as storing them in plain-text. Let's say there is a master password is required to decrypt them. The master password may have been cracked to gain access to the encrypted passwords anyway - and even if not, it now becomes worth it to the hacker to invest substantial resources in decrypting it.

Re:plain-text OS? (1)

Anonymous Coward | more than 3 years ago | (#35742158)

It can be made remotely similar to secure if you generate a public/private key pair, encrypt all passwords (after salting) with public key - both for initial setting them and for checks. The private key should be kept in a safe.

The other question is that it heavily incentivizes authentication schemes that offer no security...

Re:plain-text OS? (1)

elh_inny (557966) | more than 3 years ago | (#35742170)

I think I agree to an extent, reversible encryption in only a notch better than plain text, and some dumb policymaking politician doesn't understand technology and it doesn't mean we have to bow to such idiots at the helm.
A very strong message would be for google to withdraw from France and stop indexing .fr pages, I don't think they will do it unless they really have to.

Re:plain-text OS? (4, Insightful)

sjames (1099) | more than 3 years ago | (#35742316)

If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson. That or just declare that since it's a lot of trouble to maintain multiple authentication systems, all French Citizens will have their password set to "password".

An alternative would be to start hacking and publishing password lists for France.

Re:plain-text OS? (1)

gilleain (1310105) | more than 3 years ago | (#35742406)

If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson.

Would that lesson be : if you cut a country off from the Internet, it magically disappears?

Re:plain-text OS? (0)

Anonymous Coward | more than 3 years ago | (#35742346)

mm ok a real hash is no longer possible, but how about public/private keys?
use a public key on the server to write and check the password,
and keep the private key in a vault until required to show the password.

anyone knows if this is legal in fr?

(i use this method in some php app for a costumer who wanted to see the passwords, the app decrypts the key with a user supplied strong pass(use https auth to not store passwords)

Re:plain-text OS? (1, Informative)

madprof (4723) | more than 3 years ago | (#35742140)

The summary is wrong. The article does not actually say they can't store hashed passwords. Yet another highly inaccurate summary to throw those who have not actually read TFA.

Re:plain-text OS? (2)

piripiri (1476949) | more than 3 years ago | (#35742162)

You must be new here.

Re:plain-text OS? (0)

Anonymous Coward | more than 3 years ago | (#35742164)

Actually the article says they must store passwords and turn them over to authorities on demand. If you store one way hashes instead of passwords then you can't do that so while the BBC article doesn't use the word hash it does pretty much say that.

Re:plain-text OS? (3, Informative)

fredmosby (545378) | more than 3 years ago | (#35742208)

The article says they have to be able to provide the actual passwords. The idea behind using a hash it that the actual password isn't stored and can't be determined using the hash. That way if someone steals their data they still can't get the actual user passwords. According to the article, any secure implementation of hashed passwords would be in violation of this law.

Re:plain-text OS? (0)

Anonymous Coward | more than 3 years ago | (#35742186)

OS aren't concerned by the decree.

From TFA: "The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers."

Which doesn't make it any less stupid...

Re:plain-text OS? (0)

Anonymous Coward | more than 3 years ago | (#35742308)

As usual the ./ title is misleading.
The law isn't against storing hashes, it mandates every internet web site to be able to produce a whole lot of info on their users, including plain text password.

It has nothing to do with OSes (or for that matter anything that's not a web site / ISP) nor anything to do with hashes.

It's "just" an Orwellian law that aims at providing a lot of personal info about citizens to investigators in various administrations.

no, really (1)

alex_l83 (1781636) | more than 3 years ago | (#35742020)

this is completely nonsense.

Anonymous will love this. (1)

Anonymous Coward | more than 3 years ago | (#35742022)

France just made life easier for hackers.

Re:Anonymous will love this. (1)

ArsenneLupin (766289) | more than 3 years ago | (#35742098)

Hackers would still need to breach the security of the server where the plaintext passwords would be stored. It's not as if facebook gave shell accounts with which users could just peruse /etc/passwd...

Re:Anonymous will love this. (1)

definate (876684) | more than 3 years ago | (#35742136)

Yeah, you're right. Because there is still SOMETHING they need to do, then it hasn't made their live EASIER. (Easier being the operative word here)

Also, sure, Google and Facebook might be secure, so ALL websites will be [torrentfreak.com] secure [pcworld.com] .

Unfortunately.... (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35742026)

Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.

Rock vs Hard Place

Re:Unfortunately.... (1)

mhelander (1307061) | more than 3 years ago | (#35742372)

To begin with, there's a world of difference between knowing how to salt and hash passwords (very basic stuff that any developer should know) and knowing how to secure a system connected to the Internet (more of a job for dedicated security experts).

Secondly, the assumption must be that you will be hacked and that you should try to minimize impact when this happens. If the passwords are properly hashed then you (the site owner) have done the most important part of your work to ensure that when your site is hacked the hacker won't get access to my (the site user's) plain text password. As people reuse passwords between sites, taking this measure of hashing salted passwords is very important.

In the end almost any site will be possible to compromise. If we call that "Rock" then it is not "Rock vs Hard Place", it is more like "Rock vs Rock with Snakes" (possible to compromise AND gives the hacker plain text passwords).
   

French style (4, Insightful)

xonen (774419) | more than 3 years ago | (#35742028)

If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.

Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.

Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law. ...? Profit!.

Re:French style (1)

GPLHost-Thomas (1330431) | more than 3 years ago | (#35742156)

I fully agree that it may not have been on purpose. The recent history of French laws is full of examples showing how much legislators have no clue about technology. One of them is the recent HADOPI that was supposed to limit file sharing, but which already seem useless to everyone.

Re:French style (0)

Anonymous Coward | more than 3 years ago | (#35742174)

Agreed. Also, change France to America and you have another correct statement.

Re:French style (2)

Darfeld (1147131) | more than 3 years ago | (#35742388)

Or China... Or Japan... Wait Every one does it ! Only in this case, I suspect incompetence rather than evil protectionnisme... With maybe a little big-brother wannabe.

Re:French style (3, Insightful)

YoopDaDum (1998474) | more than 3 years ago | (#35742246)

"Never attribute to malice that which is adequately explained by stupidity". Politics in France are particularly clueless about technology. Worse, they think they know it all because they had some cute web site with streaming video being designed for them. And someone who think he's good without having a clue is dangerous indeed. The current France government is full swing in security posturing, without much concern for the practical consequences that are not so clear to them anyway. All this is enough to explain this new law.

As for being a trick to favor French firms, this is incorrect as local companies are also affected and suffer from this. From the article, one of the companies attacking this law is DailyMotion, and they're French. I don't see any tech company being happy about this.

Lastly, there have been several laws cancelled in France recently due to either being incompatible with Europeans laws or being against France own constitution. That gives you an idea of how much the projects were well prepared and thought out... So this is not done and over.

Yep (0)

Vskye (9079) | more than 3 years ago | (#35742038)

Leave it to France to not have a clue again.

Re:Yep (0)

Anonymous Coward | more than 3 years ago | (#35742090)

Anyone knows, when France became a province of the PR of China...?

Re:Yep (1)

Anonymous Coward | more than 3 years ago | (#35742436)

Leave it to French politicians to not have a clue again.

FTFY.

Oh well (1)

powerspike (729889) | more than 3 years ago | (#35742040)

Guess France want to go back to the stone age, If this stays, they'll try to extend it to computers as well, and then well, anything that uses a GUI will pretty much be illegal.

Re:Oh well (0)

Anonymous Coward | more than 3 years ago | (#35742082)

It's not what people want. Politics has write these laws because of Music's lobby, to fight illegal downloading. It's just bullshit.
I hope they will get a little visite of Anonymous for so respectless laws.

Re:Oh well (1)

ksemlerK (610016) | more than 3 years ago | (#35742254)

So if there are no GUI's, and since most people aren't familiar with the "DOS prompt", I guess that gives Linux a fighting chance to actually succeed in France. :D

OMFG! (0)

Anonymous Coward | more than 3 years ago | (#35742042)

OMFFFG!!!!

The 'Stupidity' superbug (0)

badger.foo (447981) | more than 3 years ago | (#35742060)

The right-hand column on the BBC site has a link to a story called "Europe is 'losing' superbugs battle". The current story is a case in point: Europe is losing big time against the sinister "Stupidity" superbug.

A simple solution (4, Funny)

Gadget_Guy (627405) | more than 3 years ago | (#35742062)

I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.

The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.

And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!

Re:A simple solution (5, Funny)

ArsenneLupin (766289) | more than 3 years ago | (#35742118)

Hehe, reminds me about when France leaned on Luxembourg to repeal its banking secrecy laws.

Luxembourg slowly started complying... by first publishing account details about French politicians! Always be careful what you ask for!

Re:A simple solution (0)

Anonymous Coward | more than 3 years ago | (#35742138)

I think this is a great idea. Instead of trying to sugarcoat the stupidity, just tell your users that Law X available at x.url prevents them from operating as they have in the past, and now they will be forced operate in an extremely stupid manner. Oh, and if you don't like this just call X at X-X-X

Re:A simple solution (1)

Psychotria (953670) | more than 3 years ago | (#35742168)

I know a lot of people will say that these companies should block France to bully the government to repeal the law, but that really is not workable and would be against shareholder's interests.

The easiest solution is just to comply with the law. But rather than change the data structures of the backend software to accommodate one country, they should just blank out all the passwords and disable the ability to change them. It is a win for everyone then. The companies comply with the law. The police, fraud office, customs, tax and social security bodies can all access the citizens records directly without burdening the service providers.

And of course, the French people get a valuable lesson in why they should care about who can access their accounts. Let the French people decide whether this is a good idea or not at the next election!

A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?

Re:A simple solution (2)

Gadget_Guy (627405) | more than 3 years ago | (#35742262)

A win for everyone? I doubt it. I don't think that would be a "win" for clients/consumers/end-users. Are you really that myopic or is this a troll?

Did you just stop reading at that sentence? Did you think that anyone could seriously suggest this? The final paragaph puts it in context when the "win" for the French people was that they get to learn to care about their data security. It is a lesson that they can pass on to the government at the next election.

This is especially aimed towards the "I have got nothing to hide, so why should I care" type of person. It bad enough that the government can access the logs of what you do online, but with the passwords they can also log in as you and make it look like you have done something bad. (Makes for an interesting legal defence...)

Summary is COMPLETELY WRONG (5, Informative)

xtracto (837672) | more than 3 years ago | (#35742070)

Storing passwords as hashes instead of plain text is now illegal in France,

No, it is not. Nowhere in the article (yes, I read it) does it say that. The law that is being challenged by Google and others is one that requires them to store users' information for one year.

It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one... or just "reset" the password of the account and give it to the French police.

Nevertheless, the law is still idiotic, as they say in the article; just a couple of months ago France slapped Google due to some privacy issues, and now they want them to keep so much data for so long time?

Re:Summary is COMPLETELY WRONG (5, Informative)

Anonymous Coward | more than 3 years ago | (#35742134)

First, I'm French.
I read the law http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT000023646013&dateTexte=&oldAction=rechJO&categorieLien=id

You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).
Password, and payment information, among others, must be given upon request to the authorities, but as i understand, ONLY IF THEY ARE ALREADY COLLECTED.

Not that I think it's a "good" law, but it is not as bad as said in the article, as I understand it.

Re:Summary is COMPLETELY WRONG (1)

Anonymous Coward | more than 3 years ago | (#35742184)

You have to store information about content creators only (not relevant for a pure mail provider, maybe in the case of a multiservice google account).

Must be a translation problem here. Anyone who writes emails is a content creator. If someone only receives emails or forwards them unchanged then I guess that would be different but otherwise... you're going to have to be a lot clearer on what you mean.

Re:Summary is COMPLETELY WRONG (0)

Anonymous Coward | more than 3 years ago | (#35742160)

Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...

WTF? Who stores passwords in a form that can feasibly be reversed? I guess a dictionary attack comparing hashes or something but assuming a non-moron set the password then... huh?

Re:Summary is COMPLETELY WRONG (0)

Anonymous Coward | more than 3 years ago | (#35742324)

> Nowhere in the article (yes, I read it) does it say that.

I read the article as well.

"This includes users' full names, postal addresses, telephone numbers and **passwords**. The data must be handed over to the authorities if demanded."

Doesn't mention plain text, but if your password can be read back to plain text you may as well be in plain text, as I am sure the master password would have to be made available as well.

Re:Summary is COMPLETELY WRONG (3)

Gadget_Guy (627405) | more than 3 years ago | (#35742344)

or just "reset" the password of the account and give it to the French police.

This tips off the target that they cops are onto them. I was going to write suspect, but assumes that this will not get abused by the government to spy on non-suspects too.

I guess the way to protect yourself from this surveillance is to change your password on a daily basis (or even twice a day). By the time that the request has been processed by the service provider and passed onto the authority, then it will already be out of date.

Re:Summary is COMPLETELY WRONG (0)

Anonymous Coward | more than 3 years ago | (#35742440)

> but assumes that this will not get abused by the government to spy on non-suspects too.

Ha ha ha. Which planets governments were you thinking of when you wrote this ?

Re:Summary is COMPLETELY WRONG (5, Insightful)

LBU.Zorro (585180) | more than 3 years ago | (#35742376)

Summary isn't completely wrong, you're actually wrong.

The article specifically states that

The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

Which means that they would have to store the password, and be able to give it out to authorities.

So, to take your points:

It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is /dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?

Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...

Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.

or just "reset" the password of the account and give it to the French police.

Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.

It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.

The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.

Z.

Re:Summary is COMPLETELY WRONG (1)

WWWWolf (2428) | more than 3 years ago | (#35742390)

It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

The purpose of hashing passwords is that if the datastore that contains the user credentials is compromised, the attacker cannot learn the actual passwords. The problem in your scenario is that there's no such thing as a "write only" file and an additional database only increases the overall complexity of the system; if the attacker can get to the hashed passwords, the system is bound to be severely compromised and it's reasonable to assume that they're able to get to the components that save the passwords to that external database.

Look at it this way: The login component that stores the hashed passwords has to communicate with the plain-text database. The plain-text database has to assume that the login component's security is air-tight, because otherwise it won't be able to tell apart legit and illegal requests to update passwords. Now, if the attacker can get the hashed passwords, that means they have their claws on the login component. Which means they have the plain-text database credentials. Oops. And if you assume that everyone doing this sort of database always manages to make the database "write-only" (e.g. SQL database with only UPDATE commands allowed), you're assuming too much. Besides, if the attacker is able to get that database's credentials, what's stopping them from throwing a giant spanner in the works and making you legally liable for not saving plain-text passwords? (UPDATE users SET password = '';) You can do a lot of damage either ways.

User credentials are a very crucial bit of information whose privacy has to be guaranteed at all costs, and you don't replicate them randomly on bazillion places. Especially if some places are by design less secure than others, and there's an automated gatekeeper whose job is to purposefully degrade that security.

anything worth it's salt (1)

oliverthered (187439) | more than 3 years ago | (#35742094)

I would never give real details for anything worth it's salt anyhow... and I got good entropy on my hash at home.

Law makers.... (1)

the_mind_ (157933) | more than 3 years ago | (#35742102)

When will law makers stop trying to make laws on technical matters they do not understand and that affect technical users?

"No, your Honor. The passwords are not hashed. They are encrypted using public key encryption. It's just that I have lost the private key..."

I'd better choose carefully my passwords (1)

alci63 (1856480) | more than 3 years ago | (#35742110)

I already have different level of passwords, depending of the sites or type of sites I log into... I now will be even more careful, to be sure I never use any valuable password outside of my own machines... I think my main "public" password will sound something like "F*ckSARKO".

Randomize (2)

Mascot (120795) | more than 3 years ago | (#35742166)

I use a password manager and unique randomly generated passwords for wherever I sign up. As far as I am aware, I don't have any accounts on servers in France, but even if I do that'd be all anybody'd be able to get access to with that password.

It did take a while to find a password manager that supported all my platforms and offered sufficient integration to not make life too difficult, but well worth it for the peace of mind.

For my local stuff (OS logins etc) I use passphrases I can actually remember and type in by hand, of course.

Re:Randomize (1)

Maddog Batty (112434) | more than 3 years ago | (#35742218)

OK, Cough up. Which one do you use?

I use LastPass which seems to do the job for me though I'm always a bit scared that there may be some security issue with it.

Re:Randomize (0)

Anonymous Coward | more than 3 years ago | (#35742414)

You are making it less secure by revealing which one you use.
Now people only have to determine the master password and settings and they have all your passwords no matter how long or "secure" they are. (I now it's unlikely anyone can find out / crack your master password.)

Re:Randomize (1)

Mascot (120795) | more than 3 years ago | (#35742490)

I'll make you a deal. Think that through for a bit longer, then respond as something else than AC, and I'll happily tell you which rather vital step you're missing to make your "less secure" statement true.

Re:Randomize (0)

Anonymous Coward | more than 3 years ago | (#35742302)

Would care to tell the name of password manager you're using?

Goodbye GANDI (1)

craznar (710808) | more than 3 years ago | (#35742116)

Well, I just finished switching my Domain registration across to GANDI.

Time to move again... jeez France.

Re:Goodbye GANDI (1)

GPLHost-Thomas (1330431) | more than 3 years ago | (#35742192)

Not a bad thing. GANDI is one of the worst providers of this planet, and also very expensive.

how much to disarm, have troops etc come home? (-1)

Anonymous Coward | more than 3 years ago | (#35742122)

sort of an end to death by lack of participation (supplying ordinance, eugenetics, weather etc..)? too whack?

let's vote on that, right away, today, before even worse stuff happens to all of us, except the royals. that's something we could afford that would work out well for the majority of babys, genuine native americans, humanity etc.. unheard of? not a peoples' choice issue? we just don't understand the complexities? more unnatural manufactured death & resulting debt (for us) is our reward? disgusting. shameful. carry on.

spys like us?
http://www.youtube.com/watch?v=dDVt_hSo_EU&NR=1

maybe sir richard branson could help us with his opinion (of the queen mothership, uncle sam 'business' etc..)?

we know the genuine native american elders rising bird of prey leadership initiative prospective (teepeeleaks etchings).?

could not the death machines be recycled? (0)

Anonymous Coward | more than 3 years ago | (#35742350)

disassemble that crud (some fancy materials to say the least, some likely hard to even melt), & build newclear powered refrigerators, houses, play-date/photon gathering facilities etc... we're sure our guys would prefer to become life extenders full time, with all attending benefits to all. no? the majority prefers never ending death by dismemberment & disintegration projects? that's it then.

back to '90 (0)

Anonymous Coward | more than 3 years ago | (#35742124)

I guess most hackers/spammers/phishers will support this initiative.

French Data Law (2)

fruey (563914) | more than 3 years ago | (#35742142)

Sadly, the restrictions in France in eCommerce are wider ranging than even this. Storing credit card information, for example, requires companies to jump through many hoops and prove data is stored in Europe. Many sites steer clear of storing credit card information. Any subscriptions (newsletters, etc) have to be kept in auditable databases and opt-out laws are strong. Sometimes this is a good thing for the end user, but it stifles intelligent lazy login systems and means billing is not as automated as it needs to be. Anti fraud measures such as 3D secure [wikipedia.org] (Verified by Visa, Mastercard Securecode) are crap in France because the banks have all adopted different ways of authenticating their clients in an online payment system (some by a challenge/response via SMS, some via one time pads, some via birthdate, etc).

Obviously legal departments are kept busy, and content publishers or eCommerce merchants end up crippling user experience because they are very likely to take a pessimistic interpretation of all the data privacy laws. So the French do what? The internet illuminati sign up for US/UK English versions of sites, or French canadian sites, whereas the average Joe just things the net is about typing in the same data all the time.

Where are the politicians with tech knowledge??? (3, Insightful)

niftydude (1745144) | more than 3 years ago | (#35742144)

I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.

I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.

Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.

Where are the engineers and scientists willing to step up and serve their country politically? We need you.

Re:Where are the politicians with tech knowledge?? (2)

YoopDaDum (1998474) | more than 3 years ago | (#35742338)

I fear there's significant self-selection at work here. Would you join a political party full of people with a very different culture that you do not respect so much (and who pay lip service to yours)? Like you're an engineer, and political parties are made of lawyers and accountants as you said? Or to put it in a more colorful way, would you jump into a basket of crabs if you're not one yourself?

I agree with you, there is a very dire need to get more various technical and scientific expertize into politics and parliaments. But with so much energy to spend on getting elected (not fun if tech/science is what interests you) and the crowd you'd be joining, there is a very high barrier to entry in practice. And the worst is that with all the paranoia about many science based issues (nuclear, OGM, ...) I'm not sure that the public would be very supportive of engineers or scientist willing to move into politics.

So I guess the technical input will still be through professional lobbies for a while, and sometimes (as here) after the fact. It's by far not an ideal situation as in such case expertize is strongly biased by financial interests, but without more interest and support for science in the general public in the first place I don't see how we could get much better in practice.

Disputable interpretation by journalists (2, Informative)

Anonymous Coward | more than 3 years ago | (#35742150)

Just 2 points :

1) The law referred in the press (which is actually an application decree) does not ban hashes, it says the following data should be retained:

"The password and the data used to verify it or to modify it"

2) The decree also adds a KEY sentence, saying that this data should only be retained if it was previously *usually collected*.

The words "the data used to verify it" could cover hashes, but more importantly point 2 means that if they didn't collect passwords, but only hashes, there is no need to start collecting clear-text passwords.

Nevertheless, the decree has other major technical flaws that make it worth challenging in court. Not to mention that it could be considered in breach of European Legislation on data retention, which limits the scope of data that member states can ask to be retained.

Card security standards (0)

Anonymous Coward | more than 3 years ago | (#35742154)

I suspect this would never be allowed for EMV / PCI certified systems.
But then again, France probably has their own superior versions of those standards.

So how about a fucking link? (5, Informative)

Eunuchswear (210685) | more than 3 years ago | (#35742172)

Nothing in the BBC story or the Slashdot submission gives a link to actual useful details.

There's nothing on the ASIC site, nothing on http://www.laquadrature.net/ [laquadrature.net]

All I can find online is http://www.zdnet.fr/actualites/conservation-des-donnees-sur-internet-l-asic-se-fache-39759703.htm [zdnet.fr]

Turns out that the law was passed in 2004. This is about the "decret d'application", i.e. the note from the government that specifies exactly what the retention period is.

What on eath use do the think this will be (1)

Chrisq (894406) | more than 3 years ago | (#35742180)

If an ecommerce site can lock someone's account, give full access to the authorities, or change a password (all of which can be done with hashed passwords) why would they want to know someone's actual password? This will need rewriting of most systems and OSs for no gain whatsoever.

Couldn't they just... (1)

Anonymous Coward | more than 3 years ago | (#35742200)

Granted I didn't RTFA, couldn't companies comply with the law by setting a new password and giving that to police if they ask for it?

Before everyone gets too excited... (5, Informative)

Noryungi (70322) | more than 3 years ago | (#35742214)

You have to remember that this is France, a country where laws are voted by Parliament, but then quietly dropped once less clueless people realize they are unworkable.

Think I am crazy? In France, to become the "law of the land", any legislative PoS like this one must be first described and "configured" -- so to speak -- through "Décrets d'application" that are written by the Government. Any law that does not have its "Décrets" is simply not applied by the courts. And you would be surprised to learn that -- if I remember correctly -- close to 50% (I think the number was 43% to 45%) of all laws voted by Parliament never receive a "Décrets".

In other words, it goes something like this:

A. Clueless Parliament vote clueless law, based on a clueless request ("Think of the Children!") by a clueless (Conservative) Government. For instance: "Evil Nazi Hackers Must Surrender Passwords to Police Or Else!".

B. Every geek in France loudly protests and are soundly ignored by Clueless Parliament: Clueless law passes and makes it mandatory for all Evil Hackers to surrender passwords to police (Or Else). Yeah, right. You can pry my passwords from my cold, dead fingers, mate.

C. Large, politically influential e-commerce companies (Errr... www.fnac.com, www.amazon.fr, etc) quietly contact Government and whipers: "Clueless law will destroy e-commerce in France. By the way, e-commerce is now worth XYZ Billion Euros a year in France and here is a (large) check for your... er... humanitarian projects".

D. Clueless Government promptly forget all about Clueless Law, which is, in turn, immediately ignored by all the Courts of Justice in France.

E. Profit. Meaning: everyone is happy: (Clueless Conservative) Governement and Parliament posture and pretend they are doing something about children-threatening Evil Hackers (tm), declare victory on all Evil Hackers and move on to the next "outrage du jour", e-commerce sites go back to business as usual and Courts breathe a sigh of relief they won't have to get into a whole heap of trouble trying to judge something so badly designed. Even the police is happy because they will now have another tool to be able to put pressure on small businesses in order to hound them. Big businesses, of course, have their own ways of dealing with that kind of pressure (see point C above).

Move along folks, nothing to see here: just clueless (Conservative/Liberal) politicians doing their jobs.

If I sound cynical, it's because I freaking hate these freaking people. I am just so sick & tired of these fsckers. As a Frenchman, I really think it's time to get the Guillotine out, give it a good scrub, and start chopping some (politician) heads off. Tree of liberty refreshed by the blood of tyrants and all that.

Welcome to France, just make sure you hand over all your passwords to the nice man in blue at the frontier. (Just kidding!)

All these comments (3, Interesting)

Kjella (173770) | more than 3 years ago | (#35742228)

And nobody sees this is easy to implement and perfectly safe.
1. Create a GPG key pair
2. Put the public key on the login server, the private key in a safe.
3. When setting the password, encrypt the plaintext password with the public key.

If law enforcement comes calling, get the encrypted GPG message. Decrypt on a secure offline machine using the key from the safe. There you have it, recoverable passwords with essentially no safety risk that I can see.

Re:All these comments (1)

CrashandDie (1114135) | more than 3 years ago | (#35742328)

Mainly because public key encryption is way too slow. What you want is generate a random symmetric key, encrypt the data you need with that, and then encrypt the symmetric key using your public key, once, and delete all other traces of the symmetric key.

The end result is still the same, just a whole lot faster.

Re:All these comments (1)

Kjella (173770) | more than 3 years ago | (#35742380)

Congrats, you've just described how encrypting something with GPG works. Except when you're just storing so short as a user/pass combo that's actually extra overhead. Or did you think you would encrypt all the passwords at once? And how would you then update one password or add one user? You don't *have* the other passwords as plaintext anymore and you can't recover them - if you could then anyone who rooted your login server could too. Besides, once every password reset is not much at all.

Re:All these comments (0)

Anonymous Coward | more than 3 years ago | (#35742396)

How will that work with passwords? Wouln't you need to decrypt the symmetric key, so that you could use it, every time the user tried to login?

Liberté, égalité, fraternité (1)

Damnshock (1293558) | more than 3 years ago | (#35742238)

Where did those words go?

ZOMG! (0)

Anonymous Coward | more than 3 years ago | (#35742266)

Now the French are surrendering to hackers?!?

RTFL, read the law (1)

ei4anb (625481) | more than 3 years ago | (#35742306)

I suspect the OP did not verify the exact wording. The law requires retention of (among other things) "mot de passe ou données permettant de le vérifier ou de le modifie" (password *or* data to verify it *or* change it) so it seems that it would be enough to store the password hash and/or do a password reset when demanded by the law enforcement guys.

Could people with better French than me please verify my understanding of what it says:

http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023646852&dateTexte=&oldAction=rechJO&categorieLien=id [legifrance.gouv.fr]

Re:RTFL, read the law (1)

scsirob (246572) | more than 3 years ago | (#35742400)

How is this any better than requiring every citizen to give a copy of their keys to their home, *or* permission to change the locks to the authorities, so the authorities can roam around at will?

This is bloody stupid. All eCommerce companies not hosted in France should immediately and abruptly stop service to the entire French IP range. Today. Let's see them wiggle their way out of *that*..

Re:RTFL, read the law (0)

Anonymous Coward | more than 3 years ago | (#35742450)

) "mot de passe ou données permettant de le vérifier ou de le modifie" (password *or* data to verify it *or* change it)

This reminds me of a question I asked in French class a few weeks back (of course I don't remember the details, though it is probably rather pertinent).
I read a phrase in French which clearly meant sth like "A, B, and C". In French, this was written as "A, B ou C". I asked whether this was correct, and the teacher said this was correct French -- it doesn't have to be "et" instead of "ou".

Leave it up to the French to have cases where "or" means "and"...
Anyway, I don't recall the specifics, so I can only offer this as a background story that "ou" need not always mean "or" -- which changes the above sentence rather a lot....

Re:RTFL, read the law (0)

Anonymous Coward | more than 3 years ago | (#35742470)

You wouldn't even need to allow a password reset. It says "données permettant de le vérifier *ou* de le modifier", which means "data allowing to verify it *or* modify it".
So basically, providing the hash should be sufficient to comply with this law.

Oh well (1)

McTickles (1812316) | more than 3 years ago | (#35742314)

Good thing I dont trust french companies (on top of the list, my ISP) then (I live in the aformentioned country).

Good thing I am not in France to host my data, even though admitedly french hosting prices are going to have to go down to compensate loss of trust after this.

Sarkozy and his goons have no bloody idea what they are doing to the french digital economy, innovation and research; his ludicrous ideas to hand the internet over to the police and big media corps are having a huge NEGATIVE impact on the very people and companies that keep the network running!
Sarkozy wants to make France attractive for major tech companies and research in digital innovations (so he claims) BUT what researcher or company is going to want to come to France when they'll feel constantly spyed upon and will have to follow silly rules on a crippled network ?

They are messing with things they have no hope of ever understanding at this rate and it is hurting the economy and people generally.

Don't jump to quick ... (0)

Anonymous Coward | more than 3 years ago | (#35742326)

I totally second "Anonymous Coward"'s "Disputable Interpretation". I made the same mistake, got on my high horses, and kinda ridiculed myself when I actually gave a deeper look at, you knwon, ahem, the bill. (in french : http://enattendantlamor.blogspot.com/2011/03/mea-culpa-mea-culpa-bon-sang-mais.html )

The bill is here (in French, you would have guessed) :

http://www.journal-officiel.gouv.fr/verifier/explication.php?fic=joe_20110301_0050_0032.pdf.sig&basedir=../publication/2011/0301&joDate=01/03/2011&sommairePage=#

As it was passed and "decreeted" it says that if a website collects some kind of data (specified by the bill) on a regular basis, then they should keep them around for a year. The list does include passwords, but nowhere does it *require* websites that would normally store hashed passwords to suddently store them unhashed.

Still, the law is far for perfect (I'd rather have a bill that *prevents* plain-text password storage), the feasibility is arguable at least, and the bill has been condemned on other grounds.

Don't worry, French papers too did the mistake.

All the more reason to use Federated Identity (1)

pmcevoy (10501) | more than 3 years ago | (#35742336)

All the more reason to use a Federated Identity Provider like OpenId, and authenticate against servers in another more favourable jurisdiction. Still doesn't stop sites won't handing over your data, but at least your password is safe!

French patriot act ? (0)

Anonymous Coward | more than 3 years ago | (#35742428)

It's a bit like the pariot act except that they want to access data on demand (so need a password) wheras the USA already sotre and filter all the data before it arrives to the user (but shhhhhush, it's a secret)

The difference is budget for data storage
The similarity is a total lack of immagination: trying to get omnipotent will not stop crime: it's just going to get it sharper (ho yeah and you'll fine this guy who downloaded 2 albums of Johny Halliday)

I'm French and have to live with the fact that my government too is as stupid as evil.

Lets vote to chose the dumbest of both evil, ho wait... shit

The new law is stupid! (0)

Anonymous Coward | more than 3 years ago | (#35742456)

This is just ridiculous! What about user's trust? And security? Users generally set similar passwords for different accounts on different websites. If only one of them is compromised, the hacker has practically hacked into the other accounts.

Stupid, laughable law! :))

France want to unprotect the french? (1)

Tei (520358) | more than 3 years ago | (#35742464)

Not storing passwords is a good system to protect people privacy and safety.

And the very idea of banning *how* you protect people with software is stupid itself.

- Is stupid, because unenforceable laws are stupid. Banning something you cant enforce is wasting everybody time.
- Is stupid because is not achieving what you probably want. If you want to be able to get the bad guys data, the bad guys can just use cleartext passwords, but cypher the actual data, so even if you get the password, you get a bunch of cyphered data.

So, what these laws exist for? is to peek into commercial mails from small size /medium size companies? why the France govern want to do that?

Why the state needs the plain password? (2)

devent (1627873) | more than 3 years ago | (#35742478)

Why they even need the plain password? The service providers have the (salted) hash of the password, with it the user can access the account. What the state agencies need is the hash and an interface to input the hash to access the user account.

Why they need even that? The service providers are storing the information on their servers anyway, why can't they give a copy of it to the state agencies?

The only reason that requires to save the plain text password is that the state agencies want to have the password in the hope that the person uses that password for other accounts. A lot of people don't bother to make up new passwords, they just think of a password and use it everywhere.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?