The cat is out of the bag in regards to government spying, and citizens aren’t comfortable with that fact. Now, two industry sources have divulged that the US government is insisting that certain Internet companies, cheap hosting or otherwise, provide users' passwords. This measure seems to go beyond anything that has been brought to light in the past.
It is rather obvious the issue here: the government, with your password, can log in to your account (social media, email, etc.) and go through anything and everything. Further, one password can lead to multiple account access. One of the aforementioned industry experts told press that he’s “…certainly seen them [the government] ask for passwords. We push back.”
Another source, a large Silicon Valley company employee, confirmed the spying rumors to be true stating that many companies “really heavily scrutinize” government requests, and many companies have a ‘over my dead body’ stance. What does the government want to see so badly? What do these requests consist of?
What They Are Requesting
According to the same sources, government employees are asking for more than just passwords. They also want encryption algorithns, and something termed ‘salt.’ The ‘salt’ is a random string of letters and numbers that make reverse encryption difficult. Some government orders also request user ‘secret questions’ associated with various accounts.
When asked if Microsoft complies with government requests, a company rep told press “…we can’t see a circumstance in which we [the company] would provide it [passwords or salt]. Yahoo, reportedly, denies government requests, but some companies weren’t quick to respond to the question: do you openly and willingly give out password details?
Those companies that have not weighted in on the situation include Apple, AOL, Verizon, Facebook, AT&T, Comcast, and Time Warner Cable.
Also not offering comment on the subject: the FBI.
Algorithm Information: Still Tough To Gain Access
Even if authorities were to gain access to certain passwords, salt, and algorithm details, some passwords are still hard to crack. It all depends on the type of algorithm used in addition to password strength. Sites that rely on good, slow, have algorithms passwords can be next to impossible to crack. Some sites are implementing algorithms that are too costly for government agencies to bother with due to high costs.
One such algorithm example is the one used by Twitter and LinkedIn dubbed ‘bcrypt.’ It would cost $4 to crack and 8-character bcrypt password (over the course of one year). To crack that same code in one day, the cost jumps to $1500. Add some random symbols, and that cost per year soars to $130,000. Increase it to a 10 digit alphanumeric combo, and it becomes $1.2 billion yearly.
That’s enough to deter anyone, even a government agency. The NSA might be asking for bcrypt algorithm information, but that doesn’t mean that passwords are being cracked on the cheap.
Are you concerned about password safety? Let us know below!