Last week, Slashdot surfaced news about impending and controversial data laws in France with the headline “France Outlaws Hashed Passwords“. They linked to the BBC news story about Google, eBay, Dailymotion and others challenging it.
It’s considered bad form to store passwords in plain text. Plain text is unencrypted. It would mean that if your password was “god” (once a popular password) that the online service provider’s database would store your password, beside your name and other details, simply as “god”. If someone hacks that database and is able to steal the data then that someone has your password. They can read it plain as day.
A much better idea, for security reasons, is to store the password hash instead. With this method we’re deploying a bit of cryptology, hash cryptography in fact, to run the password through a secret algorithm and save the output. For example, the hash function might change “god” to “MaCh1#3″. The database stores “MaCh1#3″, the next time you enter your password, your entry is run through the same algorithm (producing “MaCh1#3″ again) and compared to what the database has stored. If the two match up then you have the correct password.
The new French data laws make it a legal requirement for any online service storing passwords in plain text to hand them over to the authorities on request. That’s right. The new French regulations insist that operators keep a note of user names, email addresses, pseudonyms, passwords and a whole lot more.
Eric Freyssinet, the Divisional Chief of France’s cybercrime Gendarmerire task force has blogged to clear up the misunderstanding.
France will not force retailers, ISPs and others to store user passwords in plain text. However, if a hash system is used then the hashes or any other techniques used in the encryption must also be handed over to French authorities on request.
Last month the French Ministry of Finance was successfully hacked. If they had hash and user details in their database then, in theory, that data could now be in the hands of identity theft fraudsters.
France are pushing these laws out because they’re worried about all sorts of information that should interest their security forces passing around the internet. Here’s a quick list of what will be required for site operators and ISPs to store and hand over.
Providing access to the internet
- The IP address given to the user
- The identifiers of users given an IP address (login name, pseudonym, ID card, SIM phone number)
- MAC address
- Time and end of connection
- Line characteristics (ADSL, etc)
Hosts and companies providing online transactions
- IP address or other relevant information
- A way to identify what the user did online (page URL, classified ad ID, etc)
- Types of protocols used (FTP, HTTP)
- Nature of what happened (created content, modified content, deleted content)
- Time and date of transaction
- The ID the user used (pseudonym, email address, etc)
For Contract situations
- IP address used when account was created
- Full name or business name
- Mail address
- Email addresses
- Telephone numbers
- Pseudonyms used
For payment situations
- Type of payment
- The payment reference
- The amount
- Time and data of transaction
The French Association of Internet Community Services (ASIC) opposes the new law and is taking an appeal to a higher court. France may have failed to fulfil their obligations to the EU legal framework in pushing this law forward and this may be the base by which ASIC and the alliance challenge it.