French law requires service providers to store and surrender passwords

Map of France asking for detailsLast month the French government passed new legislation dictating that service providers keep records of every username, password, activity, date/time and email address for 12 months.

The providers should also keep postal addresses and phone numbers if they are known, according to a post on

The European Union has been passing ever more confusing privacy bills for some time now, but the French one seems to have stepped a little too far over the privacy line.

If service providers are required to store your password(s) for 12 months, this will make data loss events even more tragic. For the providers to surrender your password to the police or other government authorities, they must either store your password in plain text, or in some reversible hashing algorithm. (See update at bottom)

The recent SQL injection attack against MySQL/Sun/Oracle disclosed some database passwords that were stored using one-way hashing. Some of these were still able to be brute-force attacked and their plain text determined, but it took some effort. Imagine what could have happened. . .

If all businesses doing transactions in France must record your password for every login this will surely lead to the passwords being stored on internet facing computers, ripe for the picking by cybercriminals.

Users are not in the habit of having a unique password for every service, so the compromise of a single small internet services firm could reveal all the information necessary to compromise your other accounts.

While I am sure law enforcement would love to be able to acquire this kind of data when investigating crimes and terrorism, this is simply a horrible idea.

ASIC logoIn response, ASIC (Association of Community Internet Services), an industry trade group that includes Facebook, Google and Ebay, has filed suit to have the law overturned.

It is likely their concerns are more about the burden it places on them for collecting and protecting the data, but it is still a good thing whatever their motive may be.

If you need some advice on how to choose a good password and make sure you are able to remember it, check out this advice from Naked Security’s Graham Cluley.

Update: Naked Security reader Eric Freyssinet wrote to inform me that the law in question does not require the method used to store passwords to be changed, simply that whatever method is used be made available to the government for one year. He wrote an article representing his views on his blog Criminalités numériques.