French law requires service providers to store and surrender passwords

Filed Under: Data loss, Google, Law & order, Privacy

Map of France asking for detailsLast month the French government passed new legislation dictating that service providers keep records of every username, password, activity, date/time and email address for 12 months.

The providers should also keep postal addresses and phone numbers if they are known, according to a post on GigaOm.com.

The European Union has been passing ever more confusing privacy bills for some time now, but the French one seems to have stepped a little too far over the privacy line.

If service providers are required to store your password(s) for 12 months, this will make data loss events even more tragic. For the providers to surrender your password to the police or other government authorities, they must either store your password in plain text, or in some reversible hashing algorithm. (See update at bottom)

The recent SQL injection attack against MySQL/Sun/Oracle disclosed some database passwords that were stored using one-way hashing. Some of these were still able to be brute-force attacked and their plain text determined, but it took some effort. Imagine what could have happened. . .

If all businesses doing transactions in France must record your password for every login this will surely lead to the passwords being stored on internet facing computers, ripe for the picking by cybercriminals.

Users are not in the habit of having a unique password for every service, so the compromise of a single small internet services firm could reveal all the information necessary to compromise your other accounts.

While I am sure law enforcement would love to be able to acquire this kind of data when investigating crimes and terrorism, this is simply a horrible idea.

ASIC logoIn response, ASIC (Association of Community Internet Services), an industry trade group that includes Facebook, Google and Ebay, has filed suit to have the law overturned.

It is likely their concerns are more about the burden it places on them for collecting and protecting the data, but it is still a good thing whatever their motive may be.

If you need some advice on how to choose a good password and make sure you are able to remember it, check out this advice from Naked Security's Graham Cluley.

Update: Naked Security reader Eric Freyssinet wrote to inform me that the law in question does not require the method used to store passwords to be changed, simply that whatever method is used be made available to the government for one year. He wrote an article representing his views on his blog Criminalités numériques.

, , , , , ,

You might like

2 Responses to French law requires service providers to store and surrender passwords

  1. rest of world · 1262 days ago

    terrible idea.

  2. Guest · 1259 days ago

    Great example of people making rules that don't understand the technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.