[ NNSquad ] France outlaws secure hashed passwords -- massive security FAIL

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] France outlaws secure hashed passwords -- massive security FAIL

To: nnsquad@nnsquad.org
Subject: [ NNSquad ] France outlaws secure hashed passwords -- massive security FAIL
From: Lauren Weinstein <lauren@vortex.com>
Date: Fri, 8 Apr 2011 21:48:14 -0700

France outlaws secure hashed passwords -- massive security FAIL

http://j.mp/f2pk1D  (Sophos)

      "If service providers are required to store your password(s) for
       12 months, this will make data loss events even more tragic.
       For the providers to surrender your password to the police or
       other government authorities, they must either store your
       password in plain text, or in some reversible hashing
       algorithm.  The recent SQL injection attack against
       MySQL/Sun/Oracle disclosed some database passwords that were
       stored using one-way hashing. Some of these were still able to
       be brute-force attacked and their plain text determined, but it
       took some effort. Imagine what could have happened. . .  If all
       businesses doing transactions in France must record your
       password for every login this will surely lead to the passwords
       being stored on internet facing computers, ripe for the picking
       by cybercriminals."

 - - -

A requirement for storing plaintext passwords, or passwords
"encrypted" in such a way that the original password can be recovered,
seems like a law written by criminals for criminals.  The potential
for disaster, keeping in mind how often many people tend to use the
same password for multiple services, is immense.

This is another example of the strange duplicity within the EU (well,
here in the U.S. as well) when it comes to privacy.  On one hand, we
have governments slamming Google for useful Street View and harmless
accidental capture of data from open Wi-Fi networks, but at the same
time implementing draconian data retention requirements that carry
genuine risks for serious damage to their citizens.

"I cannot prevent the French from being French."
    -- Charles de Gaulle

--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
 - PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein 
Google Buzz: http://j.mp/laurenbuzz 
Quora: http://www.quora.com/Lauren-Weinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com

Prev by Date: [ NNSquad ] Re: New U.S. wireless network a hazard for GPS (Lauren Weinstein)
Next by Date: [ NNSquad ] Massive Russian hacker attack threatens freewheeling Ru.net
Previous by thread: [ NNSquad ] [Fwd: Re: Re: New U.S. wireless network a hazard for GPS (Lauren Weinstein)]
Next by thread: [ NNSquad ] Massive Russian hacker attack threatens freewheeling Ru.net
Index(es):
- Date
- Thread