Feds tell major internet companies to hand over users' account passwords

At CNET, Declan McCullagh reports that the U.S. government has demanded that large Internet companies provide them with users' stored passwords. The move represents "an escalation in surveillance techniques that has not previously been disclosed," he writes. "If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user." [CNET News]

Notable Replies

  1. Such a warm feeling I get at the thought of some quasi-governmental asshole digging through my business plans because my ISP handed the asshole the keys.

  2. So, maybe if the passwords are encrypted with a symmetric cipher. What if they're salted hashes?

    The United States Government is the APT to end all APTs. If anyone has rainbow tables to salted MD5 and SHA-1, they do. And let's face it, if a site uses a scheme like this to protect their password DBs, they're already ahead of the curve.

    Time for PBKDF2 or better. Fuck the spooks.

  3. Even better, people definitely don't reuse passwords across systems all the damn time so this certainly doesn't make a little extracurricular spying on services who have not been ordered to hand over passwords entirely trivial. No sirree bob, not at all.

  4. The Feds would have a problem with a system I'd designed, because the passwords aren't encrypted. Nor are they stored. What's stored is a one-way hash of the password using a nasty, nasty method (BCrypt) that's designed to not only be irreversible, it's also infeasible to apply in bulk to defeat off-line dictionary attacks. The system can verify that an entered password matches the one that was set for the account, but it doesn't know what the password you set was. You can't give to anybody what you don't have.

  5. I've been wondering. What happens if, say, Google calls the bluff? What happens if the feds say "give us unrestricted access to your user data or we're shutting you down," and the next day Google replaces every service they offer around the globe with a page that says, "Regretfully, the United States government has forbidden us to continue providing secure service to our valued customers," followed by a list of Congressional phone numbers organized by state.

Continue the discussion bbs.boingboing.net

23 more replies