A few days ago, a buzz hit the information security landscape. /. relayed a BBC article announcing that a new French decree will make hashed passwords illegal. Really? Honestly, when I read this, I also twitted about it. For security professionals, it looks totally unacceptable! Now, the buzz seems over and I would like to come back on this announce.
Several security professionals started discussions on forums and were curious (if not scared) about this new decree. This kind of announce leaves no one indifferent. Several questions raised like:
- The decree will make all operating systems illegal (they all stored password hashed)?
- What about banks using smart-cards to authenticated their user (storing only the user public key won’t be enough to decrypt the user’s data)?
An interesting thread started on the CISSPforum Yahoo! group. Unfortunately, this group is not publicly available. I asked to the French CISSP who gave more details to relay the information here. Thanks to Jean-Philippe for the permission to re-use his explanations.
According to many French information security people, the BBC news relayed by ./ is wrong. The problem is not that passwords cannot be hashed, it’s worst: the new French law says that organizations must keep personal data during one year (data retention period). Where the BBC is right, it’s on the fact that major on-line actors (eBay, DailyMotion) challenged the French law. Their request will be examined by the Council of State.
Here is Jean-Philippe’s analysis of the law: The decree asks e-service/commerce/banking providers to store a lot of personal and technical information related to their users. This information must be provided upon request during criminal investigations. When the user’s account is created, the text asks to store :
- The connection ID;
- First and Last name or corporate name;
- Postal address ;
- Pseudonym(s) ;
- E-mail(s) ;
- Phone number(s) ;
- The last version of password, and data that enable to verify and modify it.”
The “and” continues the enumeration of the first bullet-points… and seems not to be a grammatical link between “password” and “data that…”. Well, let’s hope so!
But here the trick – yes a law trick – the article ends with a VERY important sentence:
“This information (login, e-mail, password, …) must be stored – and therefore provided to law enforcement – ONLY IF the service provider used to store it“
This sentence is the most important here and it prevents organizations from a lot of security trouble and/or system redesign. If you are not forced to collect users information, don’t! But… if you do, you must keep them for one year! To summarize :
- If you store the user’s password in clear text (shame on you!), then you’ll have to provide it.
- If you store a hash of the password, then you’ll have to provide the hash
- If your system uses a user’s public key verification, then you’ll have to provide a private key escrow but again, only if you have it.
For those who have enough patience to regal legal stuffs, the original text of this decree is here.