Password Hashing and Criminal Liability

Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

Leave a Reply

Your email address will not be published. Required fields are marked *