Wednesday, April 20, 2011

Password monitoring threatens civil liberties

I had my own little "James Bond" moment today as, daunted by my PC's increasingly long boot-up time, I went off to make breakfast. I returned to find my security software counting down the seconds before it locked me out of the machine and I had to calmly enter the password against the pressure of seconds ticking away. Very 'Goldfinger' or 'GoldenEye.'

Managing passwords is an increasingly hard problem: according to the book and movie about Facebook, 'The Social Network' founder Mark Zuckerberg used the system's record of failed login attempts to guess users' passwords for other systems. I think of that each time I login.

But, even more bizarrely, there was breaking news last week that the French government intends to make it law for ISPs to store users' passwords in the clear. I haven't seen confirmation of the in the clear bit, but just mandating easy access to users' passwords is an invitation to fraud, identity theft, and worse.

Here's a Google translation from the French at TechDirt: "Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password."

Quite a list and something that may well tip the balance of commercial value away from cloud-based computing as users seek to regain control of their information.
Get more like this