Does it really say you cannot at all store hashed passwords, or does it mean just that you have to give the authorities the password for a user account if they ask you to? After all, if they want a password that can access a user's account, they could get that but that doesn't mean that it has to be the exact same password that the user uses, does it?
How would you implement that? The law requires you be able to give police the user's password, upon request. How would you do that without storing the password in plaintext, somewhere?
The law seems ill-conceived at best. In the best case, it will require every french site to implement a workaround. I'd be willing to bet a great many will simply comply with the law and compromise everyone's security.
Generate another password upon request, store both hashes with the user account and make the user account accessible with both passwords. Not that I condone such snooping, but that isn't that hard of a workaround to implement.
That doesn't get around the fact that the police would likely want a password in useable form, that is, something they can log in with. If you're storing something in that form, it's functionally plaintext and subject to all of the issues associated therewith. Hashing it then building in a workaround is like putting a deadbolt on your door but leaving your window open. A compromised database would have the same effect with your solution that it would with passwords stored in plaintext.
reply