CNET: Feds tell Web firms to turn over user account passwords

[Peace Piper]

CNET: Feds tell Web firms to turn over user account passwords

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.
Declan McCullagh July 25, 2013 11:26 AM PDT



The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts...
------------------snipped----------
full article: http://news.cnet.com/8301-13578_3-57...unt-passwords/

[Keith and stuff]

Things just got worse on the privacy and civil liberties front. This is terrible news. The only solution to fix something like this with the urgent President and US Senators is from overboard to stand up to Obama.

[CPUd]

It is more common to store hashed passwords than it is to store encrypted passwords, for this exact reason. Having the salt does not help much. A hash algo like MD5 is 1-way, so there's no reversing. There are some MD5 databases out there; if the password is a common password, they can look it up.

Here is a generator:
http://www.adamek.biz/md5-generator.php

MD5 database:
http://www.md5-hash.com/

use the generator to hash a common password, like password123. Then try to look it up in the database. Try again with a stronger password.

[green73]

bump

[Xhin]

A "rainbow table" like you're speaking of only works if the password isn't salted before hashing it. If you turn over the hash AND the salt they still can't do anything that they couldn't do through brute-forcing your login system.

[Keith and stuff]

A "rainbow table" like you're speaking of only works if the password isn't salted before hashing it. If you turn over the hash AND the salt they still can't do anything that they couldn't do through brute-forcing your login system.

Unfortunately, this might be the biggest and worst story of the week.

[Henry Rogue]

This should be lead story for a week. Even democrats and republicans use passwords. I bet it gets ignored.

[muh_roads]

Need more websites to use secondary authentication.

[Origanalist]

We're from the government, and we want access to everything, please.

[jtap]

National security!!! And because no one in congress can look widows and children of people who died in 9/11 in the eye.


This ends terrorism right? /puke

[VBRonPaulFan]

It is more common to store hashed passwords than it is to store encrypted passwords, for this exact reason. Having the salt does not help much. A hash algo like MD5 is 1-way, so there's no reversing. There are some MD5 databases out there; if the password is a common password, they can look it up.

Here is a generator:
http://www.adamek.biz/md5-generator.php

MD5 database:
http://www.md5-hash.com/

use the generator to hash a common password, like password123. Then try to look it up in the database. Try again with a stronger password.

+1, this is precisely how we handle it on our site. during registration, we hash and then store the hashed password. during a login, we just hash the plaintext password you entered to see if it matches the hashed version we originally stored for that account. we couldn't give anyone the actual passwords even if we wanted to, we simply don't have them.

[Bern]

Wish the article had a few more details. What Fed agency(ies) made the demands? Who was receiving the demands? Were the demands specific to a few customers or blanket for all customers?

[GunnyFreedom]

obscene.

[Brian4Liberty]

Wish the article had a few more details. What Fed agency(ies) made the demands? Who was receiving the demands? Were the demands specific to a few customers or blanket for all customers?

All that info is probably secret, and punishable by jail time.

[TonySutton]

I am waiting for someone to come out with a system where you store your own data. I remember reading an article a couple of years ago where a guy was working on a box that plugged into your modem. It kept your data local. Of course the big data places do not want this but with the NSA crap going around I could see this being a booming market that might catch on. Of course this would be a big change in how things operate. Any social media would need to be completely revamped.

[satchelmcqueen]

and of the 6 people i have told about this at work, only 2 seemed interested.