Feds Now Demanding Internet Companies Hand Over User Passwords Too

[EChondo]

http://www.techdirt.com/articles/20130725/13304423946/feds-now-demanding-internet-companies-hand-over-user-passwords-too.shtml
 

Following on the report that the feds have been trying to get master encryption keys, Declan McCullagh now has a story about the feds also demanding user passwords from those same companies. Once again, various sources insist that the companies do not hand over such info:

 

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back." 

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

 

Similarly, Microsoft and Google both directly said that they would never do that, while other companies hadn't responded (or chose not to respond) by the time Declan went to press. Of course, as he notes, since most tech companies now encrypt passwords, even if the companies were to hand over the hashed passwords, it's not guaranteed that the NSA can take that and decipher the actual password, though, it makes it easier. Still, just the fact that the companies are being asked for passwords seems like, once again, the feds going way beyond what they should be able to do.

Well, they can try to ask for my private email password that I host, but then they'll have to get through my encryption as well, and I plan on not giving either key.

 

So, how do you guys liking the non-warranted access?

[Hyydrah]

 

[ionbasa]

This is why password validation / authentication should be moved to the client side, not checked against a server.

 

If it is client side with a randomly generated 4096 bit RSA key, with a hardware authentication, say through text message, or through similar methods like the Google authentication app, then they wont be able to retrieve a "password" as none exists.

[Fetzie]

I don't know about you, but I wouldn't say the words "over my dead body" to the CIA or the FBI. The two agencies have a certain ... "history" between them.

Anyway, no company "knows" their users' passwords.

[Emperor_Piehead]

I have a encrypted modem and some encrypted protecton on my computer. so pry it from my cold dead code.

[TechSage]

My password is unicorn, call that a magical password. Eh? (yes i'm canadian)

[EChondo]

My password is unicorn, call that a magical password. Eh? (yes i'm canadian)

I thought every Canadian password was "Maple Syrup" or "Mounties" :P

[TechSage]

I thought every Canadian password was "Maple Syrup" or "Mounties" :P

No its actually "Beaver" LOL

[pcexplosion]

what passwords wouls isps have?

[BernardoSLR]

WTF Suddenly all want a slice of the internet.

[AndThenThereWas1]

My password is drowssap. Its genius... oh wait shit now the world knows.

[obsidian1200]

No its actually "Beaver" LOL

Great, now the entire LTT team is going to have to change their passwords!

 

OT: Why does the government NEED my personal passwords? I don't even trust my boss with my work log-in information, and I know the guy. I just don't see how this makes sense, but then again, that's been my views on USA privacy laws for the last couple of years.

[Jack.EXE]

Yup. Time to move to germany.

[Wingingchase]

ummm.... how about no

[kuddlesworth9419]

Our governments use the excuse "because terrorists" too lightly to get hold of our personal information. I dislike this. 

[qwertywarrior]

hmmm

in the UK its basically 1984 and no one gives a shit

then they took away their porn and a revolution might start

 

i think the US is learning from the UK on what to do

the FBI will never touch American porn

[Beskamir]

I forsee this will be on the tek...

 

Also I should really make a tinfoil hat...

[MdX MaxX]

Um, I'm pretty sure the government can't get user passwords.  No one can.  Any company worth anything will store its users' passwords in a hashed format that can't be reversed.

 

The government clearly doesn't understand how the Internet works if they think a company can just hand over passwords in plaintext.

[Setamus]

Yup. Time to move to germany.

 

The problem is that we already have a law, that allows the german police to get passwords. It isn't even a month old though. I'm sure that the Federal Court of Justice of Germany will declare that law as unconstitutional, like they did with data preservation a few years ago. 

[WanderingFool]

Um, I'm pretty sure the government can't get user passwords.  No one can.  Any company worth anything will store its users' passwords in a hashed format that can't be reversed.

 

The government clearly doesn't understand how the Internet works if they think a company can just hand over passwords in plaintext.

 

The problem I see is a lot of companies don't seem to do that....yes most big ones do, but there have been many times I reset my password on a site only to have the email send back the original password to log in.   I can't remember which site it was, but there was one a few years back that hashed passwords, but for a certain time period had logged the passwords when created into a text file.