[Errant]

You are making this way too complex. With a few lines of code, you can store the password entered online (before it's even hashed) into a accessible table and wrap things up by grabbing any information fields the agency wished to collect.

I have absolutely NO idea how "they've" planned or are doing it. Just sayin' that it's an easy way to collect passwords.

All of the other information concerning read, time accessed and etc. are information the front end writes. You can bypass this easily when you grab the data directly from the DB with another application. And you can even alter the DB logs if you have the proper levels and the right tools.

[cynwoody]

You are making this way too complex. With a few lines of code, you can store the password entered online (before it's even hashed) into a accessible table and wrap things up by grabbing any information fields the agency wished to collect.

The point is, they don't need the user's password if they can lean on the service provider. And, if they do have the password, actually using it would be problematic because of the danger they'll alert the target accidentally.

You can bypass this easily when you grab the data directly from the DB with another application.

Of course. Which they can do, with the web provider's cooperation.

And you can even alter the DB logs if you have the proper levels and the right tools.

No need. The only reason to hack the logs would be if they had gained surreptitious access to the provider. But they don't need to do that, because they're the government.