4

I'm gonna explain it exactly: Parents divorced, I have a laptop from mom, and a smartphone from my father (with subscription contract), with internet access, and hotspot capable. My question is: If i make hotspot on the phone (from my father), to share internet, is it legal to crack it's password using the laptop (from my mother), for penetration testing purpose?

I'm not exactly sure, and i don't wanna end up messing with the police. I'm just trying to see how long it takes to crack the phone's wifi password, to make it as secure as possible.

feetwet
  • 22,409
  • 13
  • 92
  • 189
Daniel
  • 41
  • 1
  • 2

1 Answers1

3

US law (18 U.S.C. § 1030) only addresses US government computers, computers used in a way that affects interstate commerce, and those of financial institutions. Turns out, cell phones and home computers affect interstate commerce. So the forbidden acts are delimited by expressions like "having knowingly accessed a computer without authorization or exceeding authorized access", "intentionally accesses a computer without authorization or exceeds authorized access" or "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value". Notice that the law is stated in terms of authorization to access, and not "cracking passwords". Similarly, 18 U.S. Code § 2701 uses phrases like "accesses without authorization". Each state has its own laws: in Washington, RCW 9A.52.110-130 identifies forbidden acts via phrases like "without authorization, intentionally gains access".

The closest I can find that comes to a law that might imaginably have some bearing on "password cracking" is 18 U.S. Code § 1029 which prohibits uses of "counterfeit access devices". An "access device" is defined in para (e) as "any ...means of account access that can be used, alone or in conjunction with another access device, to obtain money..." (there is the usual attempt at an exhaustive listing behind the ellipses). A password cracker would then be an access device since it along with a user interface to a system allows one to access the system and thus the internet of things. A counterfeit password cracker would be e.g. one manufactured by BlackhatHackersoft which passes itself off as one manufactured by WhitehatHackersoft.

However: 18 USC 1029 specifically says "knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices", and the intent that you describe is not to defraud. If you want a paid analysis by a professional, you can hire an attorney. My view is that if the police were to come after you, that would be an abuse of law, because the law does not prohibit taking reasonable steps to select a safe password (something like "CorrectHorseBatteryStaple", which I hear is now just behind "password" in use as a password).

user6726
  • 217,973
  • 11
  • 354
  • 589