One interesting ethical issue that I hadn't really thought of before is the legality of breaking and/or analyzing illegally obtained password dumps. Some criminal obtains a database containing an organizations user information, including usernames, emails, and passwords, and releases this information online. While the original database files are likely still out there, there are many websites that host only the hashed/password portions, eliminating all other personal information.
The question I asked myself was is even releasing the hashes legal, even if it seems to be commonly accepted. I've seen many websites hosting the password lists and there have been many discussions that involve them, even one of my scholarly articles has analyzed them for trends about password use. I didn't find any hard yes or no answers, but the ambiguity of many digital rights laws and the common acceptance and use of these lists indicates that there will likely be no legal trouble.
Because this sort of information is routinely leaked and helps to bolster the capabilities of password crackers worldwide; I think it would be a step backwards to prohibit their use for educational and professional use as well, especially if it can help produce stronger password authentication in the future. There are some websites that act as public services, such as haveibeenpwned, that take the username/email portion of these dumps and make them searchable, letting anyone check to see if their accounts have been compromised in the past.
The most important thing we can do with these password dumps is to use them to educate ourselves on password authentication today, to analyze and address any weaknesses and technicalities exposed. Because of the seriousness of the problem it is important that the IT community is made aware of any issues, and that we design and implement strong authentication systems in the future.
No comments:
Post a Comment