France to require unhashed password storage

France is opening a can of worms with this new law.

1. Will they be held liable of confidential information gets hacked? This includes banking details etc?
2. Surely this is a privacy issue here? What do French citizens think about this?

France's new data retention law requires online service providers to retain databases of their users' addresses, real names and passwords, and to supply these to police on demand. Leaving aside the risk of retaining all this personal information (identity thieves, stalkers, etc -- that which isn't stored can't be stolen and leaked), there's the risk of requiring providers to store plaintext unhashed passwords, as Bruce Schneier points out.

Well-designed systems don't store passwords; rather, they take the password you supply and run it through a cryptographic hashing algorithm that turns it into another string (in theory, this string can't be turned back into the password). When you re-visit the website and supply your password, it is run through the algorithm again, and then the result is compared to the stored version. That way, no one -- not even the provider -- knows your password (except you). Again, that which isn't stored can't be leaked. Requiring French online services to keep a record of unhashed passwords is a reversal of decades of best practices in security.

Link

What other countries have this law or are thinking of doing the same thing? It seems to me that the only thing safe to do on the net these days is never sign on fopr anything, and use pigeons as my mail carrier.

Not only no. But hell freaking no.
Do they want hackers to target french companies for hacking?
That has to be the dumbest law ever enacted by anyone.

Do the French have IQ's of a frog for real?
wow. just wow.

No the french are not thick and are just being used as the testing ground for the zionists to see if they can pull this little stunt off.

Your duty is to fight back and learn to hash all your passwords if that upsets them so much and yes i do encorage you to break the law wnen the law was never past by the will of the people but politicians on the take.

You are being treated like a terroriost so start acting like one.

reply to post by grey580


In South Africa we have signed our own privacy away with the RICA law (Registration for the Interception of Communications Act) where our cellphone companies are so enthusiastic about it that they held competitions for everyone who registered on time.
Not a whimper of protest from anyone.

All in the name of combatting crime. It's not just the French who have jumped onto the post-911 bandwagon.

ISPs of course already have your personal details, after all you need to pay them regularly to maintain the service they provide so they can already be forced by legal requests to divulge that information. And no matter how secure you think you and your data are, they're not, as has been frequently proven regardless of security measures you may want to place your trust in.

reply to post by Pilgrum


We are being driven into a state where we will all become Luddites, shunning technology in favour of freedom. We villify sites like Wikileaks and groups like Anonymous yet they are the ones who are ultimately fighting for our rights (albeit in a flawed way).

My child will never know the freedom we once enjoyed when the internet was a relatively free, safe and exciting new country worth exploring.