Feds tell Web firms to turn over user account passwords

Spread the love

Loading

Declan McCullagh:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: “No, we don’t, and we can’t see a circumstance in which we would provide it.”

Read more

0 0 votes
Article Rating
Subscribe
Notify of

3 Comments
Inline Feedbacks
View all comments

It is a sad time to be an American.

@drjohn: #1
Yes, it is.
Having individual government employees of uncertain background given unlimited user access to my internet activity- my bank accounts, my emails, my comments on forums and blogs- well, all that I can say is that the people demanding this access are no more moral and trustworthy than the average citizen.
Only, they will be unaccountable for their actions.

@Petercat:

all that I can say is that the people demanding this access are no more moral and trustworthy than the average citizen.

I’d say they are considerably less moral and trustworthy, as you can be certain that their official user names passwords would never be released to the public so that we can see what they are doing with ours.

If i learn of any web firm that released my Username and Password, that company can kiss my business goodbye.