Feds tell Web firms to turn over user account passwords

Cnet ^ | 25 July, 2013 | Declan McCullagh

[Errant]

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

[The Antiyuppie]

“What I’m taking away from your comment is that they can bypass my password any time they like.

Is that what you were trying to convey?”

On many systems, yes.

[dynachrome]

ha. Spartacus forgot there is a tormail service now.PGP thru that would be very anonymous.

[usconservative]

I have been concerned that Tor is actually is an ingenious honey pot.

Stop fueling my paranoia. ;-)

[Errant]

Add your own secret code as the final layer and at least you'll live for a few days while they torture you.

There are plenty of dead in Egypt and a few well ransomed Americans who can attest to how hard it is to be completely anonymous.

[cynwoody]

A proper web firm doesn’t store its users’ passwords and therefore cannot give them out.

[LucyT]

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user.

Well, now. Wouldn't this fall into the category of domestic terrorism by our own gov against US citizens? What's the purpose? Is this so they can remove steal remove steal money from our bank accounts anonymously?

Thanks, Nully. (Having difficulty deciding which word to use.)

[Black Agnes]

Dictionary attacks were popular 20 years ago.

Which makes me wonder why they need the passwd file. If they’ve got control of the network they can just see the password in transit.

[dynachrome]

Torture works. Stalin used it quite effectively.

[RightGeek]

Thanks

[dynachrome]

The problem is trusting the person on the other end.

[Errant]

You might want to let your DBA know that.

[MaxMax]

The Republicans do not understand that all this information will be used against them.
I mean it WILL be used against them! Who in the hell will tell on the RATs for
digging up every bit of information to beat them in every election?

It's inconceivable that our Government is DOING this!! F-BOMB YOU ALL!

[Sawdring]

Don’t you think they could already do this? Remember Scott Ritter? I’m not saying he was innocent, but I could easily envision a scenario where a man could abruptly change his tune because of a impolitic web history.

[usconservative]

A proper web firm doesn’t store its users’ passwords and therefore cannot give them out.

So I guess it's magic anytime you type in your password on a website and it just works huh?

[KenD]

No password that is eight characters or less is secure.

If someone has the password hash for a user ID they can guess, encrypt and compare until they find the right combination of characters. There is software available on the Internet that will do this very quickly.

In the PAST computing power wasn't sophisticated enough to make this very practical but NOW, with modest hardware ( couple of decent video cards in a quad-core box ) you can guess about 2 billion passwords a SECOND. If one is willing to invest about $15K in a machine with a lot of video cards in it, it is possible to guess the entire 8 character (upper and lower case letters, numbers and special characters) in about 4 hours.

If you recall when LinkedIn users were told to change their passwords because a password store had been leaked, most decent password crackers had nearly that entire set of passwords decrypted in about a week.

If you want to be MORE secure with the use of a password go up to 12 characters (mixed case, numbers, special characters, etc.).

In short, passwords as they're typically "selected" today are not a good way to secure anything.

[Vendome]

CALEA and FISA.

[cynwoody]

No trick to have two passwords to open a single account....just a line or two of code.

In practice it would be a bit hairier than that.

E.g., every email system I know of lists unread emails in bold or something. That would mean a careless G-man could give up the game by forgetting to change an email back to unread status. Also, Gmail shows you the last n logins (date, IP, location) and tells you if your account is open from any other location (e.g., fbi.gov).

To protect against features such as the above, a surveillance account would require special status. Able to roam through the target account without leaving any tracks or dead give-aways. A lot more than two lines of code.

[stockpirate]

” I’d be banned for life if I said what I’m thinking about our so-called “representatives” in “FREAKING” Washington DC who are letting this CRAP happen...”

No you are wrong it is We the People who are allowing this to happen. As Jefferson said, “A nation deserves the leaders it has”

And my favorite goes something like this, “A people unwilling to use extreme violent force to obtain or preserve their liberty deserves the tyrants that rule them.”

Make no mistake, it is all about we the people, he also said, “When the people fear the government you have tyranny, when the government fears the people you have liberty”..

Our nation may live in darkness for a 1,000 years but God as my witness the time will come when we shall be free again...

[null and void]

Yes. But even if a hash code can't be back processed to yield your password, it can potentially be processed to yield a password that will access your account.

And THAT, sir, is every bit as dangerous and requires no technological breakthrough whatsoever, just a look-up table that says if they give you this hash code, use this string as the password.

I bet the "an assay" could generate such a table in an afternoon.

I'm not going to be the one to insist man can never _____ (go faster than 30 mph, fly, go to the moon, etc.), but by all means, don't let that stop you!

[null and void]

Give me control of a nations money supply information, and I care not guarantee that whoever makes it’s laws will make exactly the laws I tell them to...