Feds Now Demanding Internet Companies Hand Over User Passwords Too
from the encrypted-or-not? dept
Following on the report that the feds have been trying to get master encryption keys, Declan McCullagh now has a story about the feds also demanding user passwords from those same companies. Once again, various sources insist that the companies do not hand over such info:"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."Similarly, Microsoft and Google both directly said that they would never do that, while other companies hadn't responded (or chose not to respond) by the time Declan went to press. Of course, as he notes, since most tech companies now encrypt passwords, even if the companies were to hand over the hashed passwords, it's not guaranteed that the NSA can take that and decipher the actual password, though, it makes it easier. Still, just the fact that the companies are being asked for passwords seems like, once again, the feds going way beyond what they should be able to do.
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, fbi, nsa surveillance, passwords
Companies: google, microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
probably just another set of words games
[ link to this | view in chronology ]
How ITH can this be justified?
If this is not stopped, where will it end? I am far more afraid of my own government's overreach, than any group of terrorists anywhere- no matter how large.
This is going to make an activist out of me yet.
[ link to this | view in chronology ]
Re: How ITH can this be justified?
[ link to this | view in chronology ]
Re: Re: How ITH can this be justified?
I do think it is a control issue, as is copyright and free trade pacts, and other issues we have to deal with.
Is it going to take 10,000,000 people marching on Washington to wake up the assjacks running our country?
Fear from terrorist attack is the least of my worries.
This issue has really gotten me all riled up and I hope on the NSA's radar. :-)
[ link to this | view in chronology ]
Re: Re: Re: How ITH can this be justified?
10,000,000 people marching on Washington would be classified as an insurrection and marshal law would be declared.
[ link to this | view in chronology ]
Re: Re: How ITH can this be justified?
It has absolutely nothing to do with age. It has everything to do with power and corruption.
[ link to this | view in chronology ]
Re: How ITH can this be justified?
[ link to this | view in chronology ]
Re: Re: How ITH can this be justified?
They're part of the elite class. They'll never be one of us.
[ link to this | view in chronology ]
Re: Re: Re: How ITH can this be justified?
[ link to this | view in chronology ]
Re: How ITH can this be justified?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Concerning the Printing Press
The internet is the new printing press. Who controls it is up to us.
[ link to this | view in chronology ]
Vote!
[ link to this | view in chronology ]
Re: Vote!
Same as the old boss.
[ link to this | view in chronology ]
Time to change my passwords:
[ link to this | view in chronology ]
Re: Time to change my passwords:
[ link to this | view in chronology ]
Re: Re: Time to change my passwords:
[ link to this | view in chronology ]
Re: Time to change my passwords:
[ link to this | view in chronology ]
90%. In less than a day. With a single machine.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwo rds/
Yes, the NSA can crack your hashed password.
[ link to this | view in chronology ]
Re:
That is not entirely true, there are numerous ways to hash passwords.
If they are stored as plain MD5 hashes, like the article you linked to used, then yes you are right.
But only idiots use plain MD5 hashes to store passwords today.
Adding salt is a must and makes it more difficult to crack the list of hashes.
Using hashes like bcrypt or scrypt with salt are very resilient to being cracked.
https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/
Fro m that article:
"The clustered GPUs clocked impressive speeds against more sturdy hashing algorithms as well, including MD5 (180 billion attempts per second, 63 billion/second for SHA1 and 20 billion/second for passwords hashed using the LM algorithm. So called “slow hash” algorithms fared better. The bcrypt (05) and sha512crypt permitted 71,000 and 364,000 per second, respectively."
If the NSA had 50,000 of the machines used in that article they could only test 3,550,000,000 bcrypt combinations per second.
A 10 character password composed of letters (Upper and Lower) numbers and special characters has 19,687,440,434,072,265,000 possible combinations
Assuming the NSA was always lucky and found the match after testing only 50% of the possible combinations it would take them 87 years to crack just ONE salted bcrypt hash with a password length of 10 characters.
Using the same assumption a 15 character salted bcrypt password would take them 1,384,992,058,302,440,000,000 years to crack.
So it would be more accurate to say that "Yes the NSA can crack your poorly implemented password hash"
[ link to this | view in chronology ]
Response to: mudlock on Jul 25th, 2013 @ 3:44pm
[ link to this | view in chronology ]
With properly implemented storage of passwords.....
Me: Here is their salted and hashed password
Feds: This is useless, even the giant data center in Utah would take zillions of years to crack this
Me: Not my problem
[ link to this | view in chronology ]
Re: With properly implemented storage of passwords.....
I'm more interested in why the NSA wants passwords in the first place, when they've proven they can get FISA warrants (which are almost never denied, or even examined thoroughly) to sap data up directly from inside any company's datacenter. To try to login to a user's accounts on a foreign site? Am I the only person who thinks that this behavior is more reminiscent of a criminal hacker ring, than a "Security" agency?
[ link to this | view in chronology ]
Re: Re: With properly implemented storage of passwords.....
[ link to this | view in chronology ]
Well, there's NO WAY this info could POSSIBLY be stolen from the feds
Nope, that kind of stuff NEVER happens. You're just a delusional conspiracy theorist if you think that'll happen!
[ link to this | view in chronology ]
It's also an incredibly bad idea. The moment they have the password for your account during investigation, they immediately open themselves up to accusations of planting evidence at trial time. After all, it's one thing if only you have access to an account but a completely different thing if you and the feds both have access to your account during a time period being investigated. There's a lot of judges and juries that wouldn't fly with, and they can't keep everything secret forever if they try to. To the contrary, it just increases the odds that someone will say "screw FISA secrecy" and go public with the details of the case.
[ link to this | view in chronology ]
Users: don't share passwords between sites. And don't use methods based on slight variations on a single base password. Use a password storage program that lets you generate highly-random passwords per-account. That won't protect you from this, but it'll mean that disclosure of your password by one site won't compromise any other sites.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Passwords and the word "no."
The feds coming to my house and demanding my passwords to any site.
Me: "Got a warrant?"
FEDS: "We don't need one..you have to give it to us."
Me: "Great. Here's the computer, with passwords-" and handing them a smashed up box. "Good luck with that."
I don't care if it lands me in the Federal pokey for umpteen years. There are lines I do not cross and neither do they.
If the big companies do it, they'll find out how fast hackers can get into their systems and wreck them. I might even help.
[ link to this | view in chronology ]
Re: Passwords and the word "no."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
oh im sorry
have a nice peeping tom day....
yup i agree lines that you dont cross....
NOW im urging everyone NOT from the usa to begin banning USA users....and also any services that run in the usa both in non business and business capacities.
The democrudes and republitards ARE REALLY DOING YOUR NATION UP THE ASS
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Great job, Feebs!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bad Idea!!!
It is the ultimate in censorship as well. Messages sent in your name that you did not write. Context of messages you write changed to suit the US Gov.. Messages to you ( edited / deleted ) by the US Gov.
Password to your OnLine Bank Account? Why do they need that? Making transfers in your name, in and out of your account?
Time for a run on the banks. Keep it all cash, not in an account.
( Personal Opinion )
There is a Megalomaniac in charge of "US National Security".
[ link to this | view in chronology ]
I would not be surprised.
[ link to this | view in chronology ]
NSA is driving criminals to 256 encryption or better
[ link to this | view in chronology ]
oh, really ? ? ?
so those CEO bodies are really piling up in silicon valley, are they ? ? ?
no?
didn't think so...
*some* brave souls (Bradley Manning, Edward Snowden, etc) LITERALLY put their lives on the line, not just talk trash...
silicon valley defenders of the constitution: just put the top down on their porches, and speed back home to their mcmansions...
so brave...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Breaking hashes is missing the point
There are protocols (SRP http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol is the most prominent example) in which having full access to the data on the server doesn't permit you to imitate a client (without additional work to brute-force the actual password), Unfortunately, such protocols aren't trivial to retrofit into existing systems as they require significant computation on the client side, so they haven't seen much traction. Perhaps it's time to consider them.
-- Jerry
[ link to this | view in chronology ]