obama no longer protecting whistleblowers

It’s official. Evidently, the goal of protecting whistleblowers has been removed from the change.gov web site.

In other news, gov’t agencies can compel US companies to hand over passwords to user accounts. Bad news for those who re-use passwords on multiple sites, as if any of those sites hands over your password, agencies will have access to all of those accounts.

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests.

This might not be as bad as it sounds though. Companies typically hash passwords, meaning a fixed-length byte array is produced from a variable length password. Further, the implementation of the hashing can be intricate, making it more difficult and time consuming to ascertain the original password. A non-trivial password that must be brute-forced (because it does not appear in a dictionary) could take substantial time to crack.

This might also have the effect of web companies making sure to hash passwords rather than storing the original passphrase (in cases where they’re not already doing this) and also implementing more sophisticated algorithms, meaning that brute-forcing the password from the hash is much more CPU-intensive and time-consuming.

Companies have an incentive to protect their users’ privacy, and making the hashing process more difficult to crack would be good for security without violating any law.

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s