New French Law Reduces Website Security
I didn’t know about this:
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.
Police, the fraud office, customs, tax and social security bodies will all have the right of access.
The social benefits of anonymity aside, we’re all more secure if these websites do not have a file of everyone’s plaintext password.
EDITED TO ADD (4/12): Seems that the BBC article misstated the law. Companies have to retain information they already collect for a year after it is no longer required. So if they’re not already storing plaintext passwords, they don’t have to start.
John Moehrke • April 11, 2011 1:34 PM
We can hope that they accept a salted-hash ‘value’. And they don’t get the salt value.. they really don’t say plaintext, do they?