At CNET, Declan McCullagh reports that the U.S. government has demanded that large Internet companies provide them with users' stored passwords. The move represents "an escalation in surveillance techniques that has not previously been disclosed," he writes. "If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user." [CNET News]

From our forums

  1. Cowicide

    Such a warm feeling I get at the thought of some quasi-governmental asshole digging through my business plans because my ISP handed the asshole the keys.

  2. bersl2

    So, maybe if the passwords are encrypted with a symmetric cipher. What if they're salted hashes?

    The United States Government is the APT to end all APTs. If anyone has rainbow tables to salted MD5 and SHA-1, they do. And let's face it, if a site uses a scheme like this to protect their password DBs, they're already ahead of the curve.

    Time for PBKDF2 or better. Fuck the spooks.

  3. fuzzyfungus

    Even better, people definitely don't reuse passwords across systems all the damn time so this certainly doesn't make a little extracurricular spying on services who have not been ordered to hand over passwords entirely trivial. No sirree bob, not at all.

  4. tknarr

    The Feds would have a problem with a system I'd designed, because the passwords aren't encrypted. Nor are they stored. What's stored is a one-way hash of the password using a nasty, nasty method (BCrypt) that's designed to not only be irreversible, it's also infeasible to apply in bulk to defeat off-line dictionary attacks. The system can verify that an entered password matches the one that was set for the account, but it doesn't know what the password you set was. You can't give to anybody what you don't have.

Continue the discussion at bbs.boingboing.net

24 more replies