It’s official. Evidently, the goal of protecting whistleblowers has been removed from the change.gov web site.
In other news, gov’t agencies can compel US companies to hand over passwords to user accounts. Bad news for those who re-use passwords on multiple sites, as if any of those sites hands over your password, agencies will have access to all of those accounts.
Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests.
This might not be as bad as it sounds though. Companies typically hash passwords, meaning a fixed-length byte array is produced from a variable length password. Further, the implementation of the hashing can be intricate, making it more difficult and time consuming to ascertain the original password. A non-trivial password that must be brute-forced (because it does not appear in a dictionary) could take substantial time to crack.
This might also have the effect of web companies making sure to hash passwords rather than storing the original passphrase (in cases where they’re not already doing this) and also implementing more sophisticated algorithms, meaning that brute-forcing the password from the hash is much more CPU-intensive and time-consuming.
Companies have an incentive to protect their users’ privacy, and making the hashing process more difficult to crack would be good for security without violating any law.