The federal government has demanded that major internet companies turn over users’ stored passwords, two sources told the respected tech website CNet.
So what exactly does this “escalation” — as CNet calls it — mean?
“If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user,” the report says. “Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.”
But it doesn’t end there. The government is not only requesting the passwords, but its also asking for algorithms and even security questions:
Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
According to the report’s sources, the government has requested password information on numerous occasions. Still, both sources said the companies fight them.
“We push back,” one said.
“There’s a lot of ‘over my dead body,'” said another.
Most of the big internet companies — Microsoft, Google, and Yahoo — declined to comment or give any specific information regarding the allegations, but Yahoo did say, “”If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law.”
Still, CNet does offer some hope for those who may be concerned about this new era of government surveillance: it’s not guaranteed that if the government gets a stored or encrypted password that they can crack it.
“Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed,” the report says. “The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.”
There is some advice, though, buried deep in the report. Although the author doesn’t expressly say it, he does note that longer passwords that contain odd characters are much harder to crack — even with an algorithm:
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.
But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.
It almost makes you want to go back and read TheBlaze’s report on five ways to thwart the government from spying on you.
Read CNet’s full report for more.