Thu 7 Apr, 2011
Tags: computer security, incompetency, information security, internet, internet security
Apologies for the mangled French title. The BBC reports that several companies are challenging a French law insisting that they keep a record of users’ real names, telephone numbers, addresses, and–most damningly–passwords, to be turned over to police on demand.
In a proper, competent system, passwords themselves are never stored. Instead, when an account (and associated password) is created, the password is passed through a complex mathematical function to produce what is called a ‘hash’–much like how reconstructing an order of ham hash into the original ham and potatoes is more difficult than anyone can reasonably be expected to accomplish, reconstructing a password from a hash is intended to be next to impossible.
When the user logs in, their password is passed through the mathematical function again, and the result compared with the entry in the password table. Since the function is tuned to produce a complex but unique result from each input, if the hashes match then the password has been entered properly.
The recent high-profile crack at Gawker, where the password database was compromised, was only possible because their hashing algorithm was weak and most users’ passwords were also weak. Indeed, the algorithm itself was not actually reversed–instead, a database known as a ‘rainbow table’ was used, which is the result of passing a dictionary of common passwords through a known hashing algorithm.
This French law completely ignores best-practices. Besides the obvious privacy concerns, it requires that the companies make passwords available to the police–which means that, rather than a database of the hashes, the companies will be required to keep a database of the actual passwords.
This is an unnecessary and badly thought-out requirement, as it lays every single person in France who uses any of these services open to theft of their accounts should anyone be successful at exfiltrating the associated databases. Worse, given that real names and addresses are associated with these accounts, it provides very nearly one-stop shopping for any French identity that an attacker could wish to have.
In essence, no company that engages in anything resembling standard security practises can operate in France unless they irreperably damage standard procedures in order to engage in traffic with that country.
This law is badly thought-out and will irreperably damage France’s status in the EU and on the world stage. Anyone who wishes for security in their dealings should avoid any companies that provide this data, as these databases will be inherently insecure.