How can I convince a legal person that when a password it is possible that it is stored in the plain?

Karl Wapsas

3/3/23, 11:33 AM

If a used has a password on a system that is 28 ASCII characters, on a system, lets say it's my.gov.au and then a few years ago a flaw is discovered which limits passwords to 20 characters and the user now discovers that the password for the site is the original 28 character password truncated at 20 characters, is it reasonable to conclude that the password is stored in the plain, and how could one make this argument to the someone with a legal rather than an information theory background (ie. hashing is one way etc).

0 + 0

passwords

Morrolan

3/3/23, 12:05 PM

I don't necessarily agree there. It's entirely possible that they truncate the password **before** hashing it, for update or comparison purposes. The fact that they do truncate it in isolation does not prove that they store passwords in plaintext.

bmm6o

3/3/23, 4:52 PM

Do you really want to convince them that "it's possible"? That seems like a very low bar. Someone who is not technical might not even realize there is another alternative.

Score:1

Crypto

fgrieu

3/3/23, 12:28 PM

I'm a technical person, and understand the argument being made in the question. But before I start to side with these arguments to assert the insecurity of the password storage system, past or present, I'd need to be convinced that when 28 ASCII characters was accepted, a password typed with an error past the 20^th character was refused. If not, it's entirely possible that since the origin only the first 20 characters of the password have been significant, and that is limit now enforced, and for the rest the password was and is stored properly password-hashed.

Even then, I won't be convinced "that the password is stored in the plain". It's entirely possible that he password now is stored properly password-hashed, with the conversion from an old format to a new one when the password, or it's first 20 characters, are first used in the new system. Such seamless conversion from legacy to new password format is standard procedure.

I won't even be convinced that the password was stored in the plain. It's entirely possible that the password was stored encrypted with a reversible encryption and some secret key. That would not be properly password-hashed, but still better than "in the plain" (and even quite satisfactory if the password decryption and handling occurs only in a secure environment, like an HSM).

I'm not saying it's impossible to use "Jedi mind tricks" and convince the legal person of something, as was done for the certification of a plane. But that's something I do not condone. Beside, it's off-topic.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I convince a legal person that when a password it is possible that it is stored in the plain?

TH: ฉันจะโน้มน้าวให้บุคคลตามกฎหมายได้อย่างไรเมื่อรหัสผ่านเป็นไปได้ว่ารหัสผ่านนั้นถูกเก็บไว้ในที่ราบ?

RO: Cum pot convinge o persoană juridică că atunci când o parolă este posibil ca aceasta să fie stocată în câmpie?

RU: Как я могу убедить юридическое лицо, что при наличии пароля возможно, что он хранится в открытом виде?

VI: Làm cách nào tôi có thể thuyết phục một pháp nhân rằng khi mật khẩu có thể được lưu trữ ở dạng đơn giản?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.