Feds Now Demanding Internet Companies Hand Over User Passwords Too

from the encrypted-or-not? dept

Following on the report that the feds have been trying to get master encryption keys, Declan McCullagh now has a story about the feds also demanding user passwords from those same companies. Once again, various sources insist that the companies do not hand over such info:
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Similarly, Microsoft and Google both directly said that they would never do that, while other companies hadn't responded (or chose not to respond) by the time Declan went to press. Of course, as he notes, since most tech companies now encrypt passwords, even if the companies were to hand over the hashed passwords, it's not guaranteed that the NSA can take that and decipher the actual password, though, it makes it easier. Still, just the fact that the companies are being asked for passwords seems like, once again, the feds going way beyond what they should be able to do.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    arcan, Jul 25th, 2013 @ 2:53pm

    they are just asking for a "Cyber-Pearl Harbor" now.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 2:54pm

    the feds have gotten so used to doing whatever they like and with the stupid idiots in Congress, regardless of how close the vote was, allowing the continuation of spying on innocent citizens, this was surely the next step! those who are of the opinion that the USA is just one step away from being the Police State that is spoken about very often, your fears are becoming reality! whoever the body that is behind this, that is pushing for it to actually happen needs to be found and exposed and damn quick too! they are obviously too afraid to come out in the open so are pulling the strings of those that are acting as nothing other than front men, as puppets. the problem is, they are still getting what they want and without knowing who the enemy really is, no defense or offense can be mounted!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    arcan, Jul 25th, 2013 @ 2:55pm

    Re:

    that might actually be their plan. get all this data, then leak it to hackers. then once all the accounts get taken over, pretend it is the tech companies's fault, then try and take over all internet security. they wouldn't need backdoors then...

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    william (profile), Jul 25th, 2013 @ 2:56pm

    and my first thought is how Microsoft claimed they never have NSA any data and how it blow out later they were pretty willing to assist.

    probably just another set of words games

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Charles (profile), Jul 25th, 2013 @ 2:58pm

    How ITH can this be justified?

    How? Why? Does our government, I use the term loosely, have no moral or ethical compass whatsoever?

    If this is not stopped, where will it end? I am far more afraid of my own government's overreach, than any group of terrorists anywhere- no matter how large.

    This is going to make an activist out of me yet.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:00pm

    Maybe a password manager which hashes passwords on the local computer and sends the long hash code as the password transparently?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:02pm

    Still think waving signs and signing petitions is the way to fix this?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Baldaur Regis (profile), Jul 25th, 2013 @ 3:07pm

    Concerning the Printing Press

    From The First Hundred Years of Printing in British North America, by William S. Reese:
    Sir William Berkeley, royal governor of Virginia in 1671, put it very plainly: 'I thank God,' he wrote, 'there are no free schools nor printing and I hope we shall not have these hundred years; for learning has brought disobedience, and heresy and sects into the world, and printing has divulged them...God keep us from both.
    The freedom to think, and to publish new ideas, is directly proportional to a citizenry's ability to resist its government's innate desire to control that thinking.

    The internet is the new printing press. Who controls it is up to us.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:11pm

    Re: How ITH can this be justified?

    It's because government is run by a bunch of guys in their 50s, 60s and 70s with horrifically antiquated ways of thinking. They do not align with how the world has changed since the dawn of mass computerization and the Internet, and they're ruining the country as a result.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:12pm

    Vote!

    The United States has become rotten. Let's put democracy to good use and vote against the traitors responsible for the current mess.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    radarmonkey (profile), Jul 25th, 2013 @ 3:14pm

    Time to change my passwords:

    rot13(qrneafnshpxlbh)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    arcan, Jul 25th, 2013 @ 3:19pm

    Re: Time to change my passwords:

    and people think i am crazy for having 50 character+ passwords encrypting my data.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Charles (profile), Jul 25th, 2013 @ 3:25pm

    Re: Re: How ITH can this be justified?

    I am in my 60's and I don't have an antiquated way of thinking.

    I do think it is a control issue, as is copyright and free trade pacts, and other issues we have to deal with.

    Is it going to take 10,000,000 people marching on Washington to wake up the assjacks running our country?

    Fear from terrorist attack is the least of my worries.

    This issue has really gotten me all riled up and I hope on the NSA's radar. :-)

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Charles (profile), Jul 25th, 2013 @ 3:27pm

    Re: Re: Time to change my passwords:

    Voted insightful, funny, and a virtual sad but true.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Charles (profile), Jul 25th, 2013 @ 3:29pm

    Re:

    I don't know what the way to fix this is, but I have a feeling we are all going to find out sooner rather than later.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    mudlock (profile), Jul 25th, 2013 @ 3:44pm

    "even if the companies were to hand over the hashed passwords, it's not guaranteed that the NSA can take that and decipher the actual password"

    90%. In less than a day. With a single machine.

    http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwo rds/

    Yes, the NSA can crack your hashed password.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:53pm

    With properly implemented storage of passwords.....

    Feds: Here is FISA order for you to turn over user ABC's password
    Me: Here is their salted and hashed password
    Feds: This is useless, even the giant data center in Utah would take zillions of years to crack this
    Me: Not my problem

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:57pm

    Well, there's NO WAY this info could POSSIBLY be stolen from the feds

    Well, I don't see any problem with this! After all, we all know there's NO WAY a hacker could POSSIBLY break into the feds computers/etc and steal all the millions of passwords the Feds collect from all the Internet companies in America and the world!

    Nope, that kind of stuff NEVER happens. You're just a delusional conspiracy theorist if you think that'll happen!

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    WG (profile), Jul 25th, 2013 @ 4:03pm

    Re: How ITH can this be justified?

    Ditto. I am quickly leaning towards the anarchist's point of view. Now that we have names of those who are trying to gut the constitution, I say F#*k the vote. . .get a rope! These assholes simple don't understand that when they are out of office, they become one of us.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:25pm

    Wow. Someone said it before about the encryption keys, but this really is like asking for copies of keys to everyone's house. Haven't we had some fairly recent laws or legal ruling forbidding employers from demanding that sort of access to employee's personal accounts?

    It's also an incredibly bad idea. The moment they have the password for your account during investigation, they immediately open themselves up to accusations of planting evidence at trial time. After all, it's one thing if only you have access to an account but a completely different thing if you and the feds both have access to your account during a time period being investigated. There's a lot of judges and juries that wouldn't fly with, and they can't keep everything secret forever if they try to. To the contrary, it just increases the odds that someone will say "screw FISA secrecy" and go public with the details of the case.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:38pm

    Re:

    "Yes, the NSA can crack your hashed password."

    That is not entirely true, there are numerous ways to hash passwords.
    If they are stored as plain MD5 hashes, like the article you linked to used, then yes you are right.
    But only idiots use plain MD5 hashes to store passwords today.

    Adding salt is a must and makes it more difficult to crack the list of hashes.
    Using hashes like bcrypt or scrypt with salt are very resilient to being cracked.

    https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/
    Fro m that article:
    "The clustered GPUs clocked impressive speeds against more sturdy hashing algorithms as well, including MD5 (180 billion attempts per second, 63 billion/second for SHA1 and 20 billion/second for passwords hashed using the LM algorithm. So called “slow hash” algorithms fared better. The bcrypt (05) and sha512crypt permitted 71,000 and 364,000 per second, respectively."

    If the NSA had 50,000 of the machines used in that article they could only test 3,550,000,000 bcrypt combinations per second.

    A 10 character password composed of letters (Upper and Lower) numbers and special characters has 19,687,440,434,072,265,000 possible combinations

    Assuming the NSA was always lucky and found the match after testing only 50% of the possible combinations it would take them 87 years to crack just ONE salted bcrypt hash with a password length of 10 characters.

    Using the same assumption a 15 character salted bcrypt password would take them 1,384,992,058,302,440,000,000 years to crack.

    So it would be more accurate to say that "Yes the NSA can crack your poorly implemented password hash"

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Todd Knarr (profile), Jul 25th, 2013 @ 4:39pm

    Developers: switch from fast, efficient-to-calculate hashes (eg. MD5, SHA1, etc.) to something like BCrypt that's designed to be inefficient to calculate. That scotches a lot of off-line attacks because they can't try hundreds of millions of possibilities a second anymore.

    Users: don't share passwords between sites. And don't use methods based on slight variations on a single base password. Use a password storage program that lets you generate highly-random passwords per-account. That won't protect you from this, but it'll mean that disclosure of your password by one site won't compromise any other sites.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous, Jul 25th, 2013 @ 4:40pm

    If the feds have to ask for encryption keys and passwords and physically place a device on an ISP's network, maybe their surveillance capabilities aren't all that.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:40pm

    Jesus Christ you guys want my house keys as well? Not enough? How about my first born?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    The Real Michael, Jul 25th, 2013 @ 4:44pm

    Re: Time to change my passwords:

    Good idea, though I wouldn't put it past them to try and streamline the password info to near real-time. That is if websites/companies actually cave in to their unconstitutional demands.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:45pm

    A useful firefox plugin is Password Hasher. That way even if they get your passed it's only a hashed password that can't easily be used on other websites (at least not without cracking the original password).

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Rekrul, Jul 25th, 2013 @ 4:51pm

    Re: Re: Re: How ITH can this be justified?

    Is it going to take 10,000,000 people marching on Washington to wake up the assjacks running our country?

    10,000,000 people marching on Washington would be classified as an insurrection and marshal law would be declared.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Rekrul, Jul 25th, 2013 @ 4:52pm

    Re: Re: How ITH can this be justified?

    These assholes simple don't understand that when they are out of office, they become one of us.

    They're part of the elite class. They'll never be one of us.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous, Jul 25th, 2013 @ 5:05pm

    Re: Re: Re: How ITH can this be justified?

    As a wise woman once said, "People like us, we gotta stick together...We are all misfits living in a world on fire".

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Uriel-238 (profile), Jul 25th, 2013 @ 6:10pm

    Re: Vote!

    How do you figure a new person in office is going to change this? It's not the corrupt guy in office that's the problem is that the office makes people corrupt (or ineffectual -- those are the two flavors).

    Same as the old boss.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    FM Hilton, Jul 25th, 2013 @ 6:19pm

    Passwords and the word "no."

    I can just envision it:
    The feds coming to my house and demanding my passwords to any site.

    Me: "Got a warrant?"
    FEDS: "We don't need one..you have to give it to us."
    Me: "Great. Here's the computer, with passwords-" and handing them a smashed up box. "Good luck with that."

    I don't care if it lands me in the Federal pokey for umpteen years. There are lines I do not cross and neither do they.

    If the big companies do it, they'll find out how fast hackers can get into their systems and wreck them. I might even help.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 7:10pm

    OfCourseTheyWillGetTheSaltToo.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    USA'S PEOPLE GET IT IN ARSE, Jul 25th, 2013 @ 8:18pm

    oh im sorry

    before i handed them over they must have gone and change dit and every time i take and give it to you they just auto get changed and resent out....
    have a nice peeping tom day....
    yup i agree lines that you dont cross....
    NOW im urging everyone NOT from the usa to begin banning USA users....and also any services that run in the usa both in non business and business capacities.

    The democrudes and republitards ARE REALLY DOING YOUR NATION UP THE ASS

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Kal Zekdor (profile), Jul 25th, 2013 @ 8:38pm

    Re: With properly implemented storage of passwords.....

    Well, if they can force you to hand over the hashes, they can force you to divulge your salting practices, so salts probably won't help much in this case. A cryptographically secure hashing mechanism is your best bet to protect user passwords, in all cases. Salts protect against rainbow tables, not individual cracking attempts. (Though it's still a good idea to salt in a unique way, as this prevents someone from using a password hash leaked from another site to login to a user with the same email via bypassing the hashing mechanism.)

    I'm more interested in why the NSA wants passwords in the first place, when they've proven they can get FISA warrants (which are almost never denied, or even examined thoroughly) to sap data up directly from inside any company's datacenter. To try to login to a user's accounts on a foreign site? Am I the only person who thinks that this behavior is more reminiscent of a criminal hacker ring, than a "Security" agency?

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Mike Brown (profile), Jul 25th, 2013 @ 8:50pm

    Re: Re: With properly implemented storage of passwords.....

    Because the terrorists use Facebook to communicate with each other, and those bastards won't accept the NSA's friend requests.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 8:58pm

    Re: How ITH can this be justified?

    I agree. is nothing in our lives private anymore?? I'll shut down every site & get rid of my internet!!!

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Woadan (profile), Jul 26th, 2013 @ 12:08am

    Google allows you to put in second factor authentication on accounts. The feds can have all the passwords they want, but they need the Google authenticator set up and approved. Too bad MS doesn't as well.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Jul 26th, 2013 @ 3:13am

    Well, at least now the hackers know who to target to get the passwords more easily.

    Great job, Feebs!

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Anonymous Howard (profile), Jul 26th, 2013 @ 3:59am

    Re:

    This is effective until they get your authenticator's id or serial or whatever it uses to generate the jump codes, and since it is stored at the company that just gave out your password...

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Jul 26th, 2013 @ 5:25am

    So how do they "interpret" "reasonable expectation of privacy" anyways?

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jul 26th, 2013 @ 5:26am

    Here's my password: fuck you!

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    assemblerhead (profile), Jul 26th, 2013 @ 6:44am

    Bad Idea!!!

    And the frames for crimes not committed start at once.

    It is the ultimate in censorship as well. Messages sent in your name that you did not write. Context of messages you write changed to suit the US Gov.. Messages to you ( edited / deleted ) by the US Gov.

    Password to your OnLine Bank Account? Why do they need that? Making transfers in your name, in and out of your account?

    Time for a run on the banks. Keep it all cash, not in an account.

    ( Personal Opinion )
    There is a Megalomaniac in charge of "US National Security".

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    EvilGenius, Jul 26th, 2013 @ 8:04am

    Does this mean they are getting passes of people outside the US also?

    I would not be surprised.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    John Fenderson (profile), Jul 26th, 2013 @ 10:02am

    Re: Re: How ITH can this be justified?

    It's because government is run by a bunch of guys in their 50s, 60s and 70s with horrifically antiquated ways of thinking.


    It has absolutely nothing to do with age. It has everything to do with power and corruption.

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Evan, Jul 26th, 2013 @ 10:44am

    NSA is driving criminals to 256 encryption or better

    Now the NSA will be processing billions of civilian emails at taxpayer expense while criminals are driven to 256 bit encryption (or better schemes) over secure tunnels. They should have kept it secret. Dorks.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous, Jul 26th, 2013 @ 11:04am

    Response to: mudlock on Jul 25th, 2013 @ 3:44pm

    That's exactly what I was going to say. Anyone with access to a good enough computer and a few free programs like Hashcat can easily decrypt password hashes. Even faster if they have a rainbow table. And unfortunately for users those programs are so simple to use even the idiots in the government can figure out how to use them.

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    art guerrilla (profile), Jul 26th, 2013 @ 11:50am

    Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

    oh, really ? ? ?
    so those CEO bodies are really piling up in silicon valley, are they ? ? ?

    no?
    didn't think so...

    *some* brave souls (Bradley Manning, Edward Snowden, etc) LITERALLY put their lives on the line, not just talk trash...

    silicon valley defenders of the constitution: just put the top down on their porches, and speed back home to their mcmansions...
    so brave...

    art guerrilla
    aka ann archy
    eof

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous, Jul 26th, 2013 @ 2:40pm

    Re: Passwords and the word "no."

    And a handful of piping hot CDs fresh from the microwave.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Steve, Jul 26th, 2013 @ 4:40pm

    I am using Securencrypt to encrypt my important emails and even if they would have my password it would be of much use for them. But I use that to protect against hackers, keyloggers etc not to hide my boring financials and feature projects from them.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Lahma, Jul 27th, 2013 @ 7:40am

    Re:

    Well said art guerrilla. Well said.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    leichter (profile), Jul 27th, 2013 @ 2:46pm

    Breaking hashes is missing the point

    If the government can demand your hashed password, they can also demand your *actual* password. While a site doesn't *store* that, it has access to it *every time you log in*. After all, that's exactly what you provide in order to log in!

    There are protocols (SRP http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol is the most prominent example) in which having full access to the data on the server doesn't permit you to imitate a client (without additional work to brute-force the actual password), Unfortunately, such protocols aren't trivial to retrofit into existing systems as they require significant computation on the client side, so they haven't seen much traction. Perhaps it's time to consider them.

    -- Jerry

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This