France to require unhashed password storage
France’s new data retention law requires online service providers to retain databases of their users’ addresses, real names and passwords, and to supply these to police on demand. Leaving aside the risk of retaining all this personal information (identity thieves, stalkers, etc — that which isn’t stored can’t be stolen and leaked), there’s the risk of requiring providers to store
plaintext unhashed passwords, as Bruce Schneier points out.
Well-designed systems don’t store passwords; rather, they take the password you supply and run it through a cryptographic hashing algorithm that turns it into another string (in theory, this string can’t be turned back into the password). When you re-visit the website and supply your password, it is run through the algorithm again, and then the result is compared to the stored version. That way, no one — not even the provider — knows your password (except you). Again, that which isn’t stored can’t be leaked. Requiring French online services to keep a record of unhashed passwords is a reversal of decades of best practices in security.
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.
Police, the fraud office, customs, tax and social security bodies will all have the right of access.