Your Government Wants Your Passwords
The federal government has demanded that major internet companies turn over users’ stored passwords, according to CNet, a highly respected tech website.
CNet is calling this an “escalation” in internet surveillance by the federal government.
So what does this escalation mean exactly?
“If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user,” the report says. “Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.”
If that’s not concerning enough your government not only wants your passwords, but it also wants algorithms and security questions regarding those passwords.
Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
So far these have only been requests and so far the companies receiving the requests are fighting them. But most of the big internet companies like Google, Microsoft, or Yahoo declined to comment in the CNet article or provide any specifics concerning the requests. Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.
The FBI declined to comment.
The question is can you protect your private communications and information if the Feds do get access? The CNet author seemed to provide a little bit of advice, whether intentional or not is hard to say. He said longer passwords that contain odd characters are much harder to discover even with an algorithm.
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.
But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.
There are times where law enforcement may need this kind of information when investigating a crime, however those instances should be handled case by case and only in accordance with local, state, and federal law. I’m of the opinion that once you break the law you begin to lose privileges. That’s by choice. This situation ignores choice, rights, and the freedoms of law abiding citizens if indeed blanket access to passwords is provided.
If you’re uncomfortable with this story, and I think everyone should be, call your congressional representatives and senators and let them know this is unacceptable. Ask them if they are aware of these requests. Ask them to explain the depth and detail if indeed they are aware. But most of all let them know YOU’RE AWARE.
- Feds tell Web firms to turn over user account passwords (news.cnet.com)