Feds tell Web firms to turn over user account passwords.

Feds tell Web firms to turn over user account passwords.

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Time to "break-in" the new forum.

Its not enough that theyre recording our phone calls, tracking the sites we visit, examining our credit card statements, examining our library cards, tracking our movements via license plate readers... No, thats not enough.

Now they want us to simply tell them our passwords.

Doesnt that defeat the purpose of having a password???

Lesson to be learned: never use stored passwords.

Keep resisting.

your passwords in this forum could have probably been handed over as well, although just speculation, so tread lightly. getting to the point where i'm close to resigning my internet activity all together, it's just not safe anywhere, including here possibly...

our corrupt government will stop at nothing to destroy everything our forefathers stood for, they want everything now.

Why dont they hash the passwords?
I use SMF forum, it hashes the paswords, all I would be able to give them would be a string of meaningless numbers. Of course they could try brute forcing them but with long passwords it could take them some time.

Originally posted by LittleBlackEagle
your passwords in this forum could have probably been handed over as well, although just speculation, so tread lightly. getting to the point where i'm close to resigning my internet activity all together, it's just not safe anywhere, including here possibly...

our corrupt government will stop at nothing to destroy everything our forefathers stood for, they want everything now.

What good would them getting our passwords do? They can see our posts without a password. And I'm quite sure they could use a back door anyway.

They don't need to read me emails to know I hate them. I tell them everyday. Hey US government I hate you!

Originally posted by VoidHawk

Originally posted by LittleBlackEagle
your passwords in this forum could have probably been handed over as well, although just speculation, so tread lightly. getting to the point where i'm close to resigning my internet activity all together, it's just not safe anywhere, including here possibly...

our corrupt government will stop at nothing to destroy everything our forefathers stood for, they want everything now.

What good would them getting our passwords do? They can see our posts without a password. And I'm quite sure they could use a back door anyway.

Email addresses attached to forum accounts, which are then attached to real names are compiled in a database of passwords matched to real names. With just a very small number of companies participating they can essentially have access to all of your online accounts simply through knowing your password. Password reuse is a very real thing.

Another thing mentioned in the article is that they're demanding security question answers, which are often similar between sites. Through compiling this information, once again they can use it to obtain your passwords.

What this means is they can simply log into your accounts to spy on you, if the courts ever put a stop to companies handing over data, it no longer matters since they have a password database. It streamlines everything for them too. If they figure out you're using a device, they have a database of likely passwords you're using and can get access to your information quickly. Even if you're using infrastructure that's not based in the US with companies that don't hand over data.

The implications of this are pretty large.

Question: What's the difference between the NSA being able to secretly listen in on a private phone conversation, and the NSA being able to listen in on a family's conversation at the dinner table?
Answer: There's virtually no difference.

Question: What's the a difference between the NSA having access to an individual's passwords, and the NSA having access to an individual's bank account?
Answer: There's virtually no difference.

At this rate it may soon be, "your FEMA papers, please!"

Did you know?
source : www.businessinsider.com...

F.T.G.

Originally posted by VoidHawk

Originally posted by LittleBlackEagle
your passwords in this forum could have probably been handed over as well, although just speculation, so tread lightly. getting to the point where i'm close to resigning my internet activity all together, it's just not safe anywhere, including here possibly...

our corrupt government will stop at nothing to destroy everything our forefathers stood for, they want everything now.

What good would them getting our passwords do? They can see our posts without a password. And I'm quite sure they could use a back door anyway.

lots of nasty things they can do with passwords, like make phoney posts or create phoney activity for, if not anything else, incriminating evidence against you.

Well I am enjoying the net while i can,.
eventually if site owners want to continue their
cash flow with advertising, they will comply
thats when I shut off the internet. and go off grid

Originally posted by LittleBlackEagle
lots of nasty things they can do with passwords, like make phoney posts or create phoney activity for, if not anything else, incriminating evidence against you

See I'm just not devious enough to think of that.

Originally posted by LittleBlackEagle

Originally posted by VoidHawk

Originally posted by LittleBlackEagle
your passwords in this forum could have probably been handed over as well, although just speculation, so tread lightly. getting to the point where i'm close to resigning my internet activity all together, it's just not safe anywhere, including here possibly...

our corrupt government will stop at nothing to destroy everything our forefathers stood for, they want everything now.

What good would them getting our passwords do? They can see our posts without a password. And I'm quite sure they could use a back door anyway.

lots of nasty things they can do with passwords, like make phoney posts or create phoney activity for, if not anything else, incriminating evidence against you.

edit on 25-7-2013 by LittleBlackEagle because: (no reason given)

Here's a big one once they know your likely passwords. They can break anything you encrypt when intercepting your communications (or worse, seizing your equipment), keeping data private with technology like 256bit AES and PGP suddenly becomes impossible.

Originally posted by VoidHawk

Originally posted by LittleBlackEagle
lots of nasty things they can do with passwords, like make phoney posts or create phoney activity for, if not anything else, incriminating evidence against you

See I'm just not devious enough to think of that.

you had better get busy learning to be, in a nice way though. just grow up on any indian reservation and you learn very quickly, since we have known about trusting, or lack there of, the US govt.for a very long time.

Violators of their oaths one and all.

The 4th.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.[

Originally posted by benrl
Violators of their oaths one and all.

The 4th.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.[

sing it brother.

the govt. broke most of the indian nations treaties a long time ago and now they are breaking the entire population of citizens as well. our American treaty is known as the Constitution of the United States and the Bill of Rights, both are being shredded as we speak, with more to come.

I'll make it easy for them.

My password is;

Round black dot-round black dot-round black dot-round black dot-round black dot

My ATM password is;

asterisk-asterisk-asterisk-asterisk

Originally posted by beezzer
I'll make it easy for them.

My password is;

Round black dot-round black dot-round black dot-round black dot-round black dot

My ATM password is;

asterisk-asterisk-asterisk-asterisk

LOL
Many people dont realise but the strength of a password is in its length. Thats assuming someone is trying to crack it.
20 Round black dots with an initial on the end is easy to remember but for someone trying to crack it, it's very hard.

reply to post by gladtobehere


Weird because most websites don't even know your password. They just save a hash (digital fingerprint) of it, then throw the password away. To tell if you typed your password in correctly they hash it again and compare the two hashes. If they match you're in.

But you can't tell what the password was from the hash. The algorithms are designed so it can't be reversed. You can make a hash from a password, but you can't make a password from the hash. That way if their DB gets hacked everyone's password are "safeish".

This is one reason why most websites ask you to make a new password or email you a random one if you forget yours instead of just telling you what your password was. It's because they don't know what your password is either. They only have the hash.

While some websites use crap hashes that can be cracked, for the most part it's a major PITA and all you get is a list of random numbers that can't be used.

The feds should be smart enough to know this. Are they suddenly asking these websites to actually retain what your actual password is and not just the hash?

Because if so, that would be an even bigger story. The feds asking web firms to break a major security practice used all over the web that would leave your data open to not only the feds, but hackers world wide if they ever steal the database.

reply to post by VoidHawk


You don't have to have a deviant mind to come up with the "what if they had the passwords" question. For many, it is access to friends, family, business contacts, patient protected information (violating HIPAA laws), etc, etc.

If you want to see deviance here is a scenario for you:

A man goes on a rampage and starts killing cops; it is found out that the man on the rampage is a cop. The Government, actively monitoring this (or part of it), uses the hacked password (or given one) to post in this "maniac's" name a manifesto.

Here is another one:

People begin to break away from the party system and start to follow a young, charismatic leader who truly speaks of liberty. The Government just uses their passwords they obtained, plants nefarious dealings and postings about this young buck, in his name and poof....

If the Government was okay with locking up American citizens; who happened to be of decent of Japan; do you think they will think twice about destroying one or two people's lives?

Those calling for further and more advanced encryption from the end user are missing the point. The point is that the Federal government has no Constitutional authority to do these things and in point of disgusting fact are doing so in complete violation of the bill of rights.

The solution is not to better encrypt passwords, IP addresses and emails, it is, to demand the immediate dismantling of agencies who are operating unlawfully and illegally.

Sounds daunting? It's not. If only 10 million Americans bombarded their reps, county sheriff's office and senators about this issue and fully followed through, we could stop this insanity. Public outcry, outrage and threat of action goes along way but there is a big difference between thousands and millions of people.

This sort of behavior is increasing at such an alarming rate, is there anyone left that would dare say we can not compare our current level of government and laws to those of Nazi Germany during the transitional takeover of the country?

I would love to debate the merits of oh, so many ways it is a mirror image, almost exactly following in the totalitarian footprints of the worst travesty of a political party to ever walk the Earth.

Originally posted by tinfoilman
reply to post by gladtobehere

 

Weird because most websites don't even know your password. They just save a hash (digital fingerprint) of it, then throw the password away. To tell if you typed your password in correctly they hash it again and compare the two hashes. If they match you're in.

But you can't tell what the password was from the hash. The algorithms are designed so it can't be reversed. You can make a hash from a password, but you can't make a password from the hash. That way if their DB gets hacked everyone's password are "safeish".

This is one reason why most websites ask you to make a new password or email you a random one if you forget yours instead of just telling you what your password was. It's because they don't know what your password is either. They only have the hash.

While some websites use crap hashes that can be cracked, for the most part it's a major PITA and all you get is a list of random numbers that can't be used.

The feds should be smart enough to know this. Are they suddenly asking these websites to actually retain what your actual password is and not just the hash?

Because if so, that would be an even bigger story. The feds asking web firms to break a major security practice used all over the web that would leave your data open to not only the feds, but hackers world wide if they ever steal the database.

Once they have a database of hashes they can brute force it and solve all of them in the same attack at a rate of 348 billion hashes per second. When all the data is client side, they can perform these checks very quickly. At that point, password reuse significantly impacts everyones privacy and very little is secure.

That's a rate of cracking a 14 character password in 6 minutes. That's somewhat efficient. Now what happens when they're checking a million different hashes? That's a million 14 character passwords in 6 minutes. More than fast enough to render any password insecure.