10

I remember some password managers like Google's would give me a warning about passwords that have been compromised.

My question is this. How is Google or any company able to see that the password I have chosen matches one that has been compromised?

My first thought on this is that they must have gotten it from 1 of 2 places. Either they themselves would do what a hacker would do and download a bunch of files with bulk information they could try for like 10 million account combinations. They could get this from where it would be seen first aka the dark web, or they get the bulk passwords from the company that says its been hacked and releases whose information was compromised. I am not sure though and would like to invite other opinions on how they are able to legally obtain the hacked data. Assuming they have some sort of contract with the government that says I promise not to do anything bad with this information.

In general there must be some way to get like a permit to explore on the dark web in order to get information on the latest hacks. Seems like the quickest way to counteract hacks.

SQB
  • 397
  • 4
  • 11
devin
  • 217
  • 2
  • 5

3 Answers3

22

Most of the question has nothing to do with the law, it's about technical how-to or how-does, which should be asked in Information Security SE. There are two possible legal questions: is it legal to break into a computer system and take a database of passwords, and it is legal to acquire such a database obtained by someone else. As should be known in the US, per 18 USC 1030, breaking into a computer is illegal in the US. Given that, it is extremely unlikely that Google illegally breaks into other computer systems to obtain passwords.

The aforementioned law criminalizes accessing computers without authorization, not (just) "taking" stuff from computers without authorization. The law does not criminalize receipt of illegally obtained material. Passwords are not protected by copyright. If Google were to induce someone to break into a computer system to get passwords, that would be legally actionable, however there is no law penalizing innocent receipt of illegally-obtained passwords (insofar as they are not protected by copyright).

It is not illegal to access the dark web, at least in the US (probably it is illegal in Saudi Arabia). Using stuff gotten from the dark web can easily be illegal (e.g. logging in to someone's bank account, or forging a passport). There are many services which monitor the dark web and report breaches, which is totally legal.

quarague
  • 4,369
  • 2
  • 15
  • 26
user6726
  • 217,973
  • 11
  • 354
  • 589
3

Many jurisdictions have laws against obtaining or possessing computer software, data, and equipment if you intend to use them for nefarious purposes. In England and Wales the main legislation is the Computer Misuse Act 1990 (with various amendments, principally the Serious Crime Act 2015). Section 5A of the 1990 act, amended by the SCA 2015, prohibits obtaining data or programs with the intention of unauthorised access or impairment of the operation of a computer system (e.g. damage or denial of service).

Hence, obtaining password lists with the intent of unauthorised access would violate the law, but obtaining with a legitimate purpose would not necessarily be illegal.

However, if you possess personal data including passwords you would still have to follow various data protection laws. The General Data Protection Regulation (GDPR) would seem to require you to have the data for a legitimate purpose, for your possession of the data to be necessary for the purpose, and for you to take necessary steps to secure the data.

In practice, there may be cooperation between private computer security companies and law enforcement or other government agencies (e.g. GCHQ in the UK, CISA in the US), to set acceptable limits and codes of practice, but that is outside the scope of this board, and probably more for a computer security forum.

Stuart F
  • 489
  • 5
  • 8
1

No, there is no contract or special permission to use compromised account data, some of breach alert services are run by individuals. The promise "not to do anything bad with this information" implicitly applies to everyone. If Google (or anyone else) starts misusing account data, someone will discover this and sue.

Obtaining such data is not illegal by itself. Distributing it on the other hand is definitely illegal: it would be either private data distribution without permission or facilitating computer breaches if password information is included. Note how such services never give you the option to download the entire database they are using, and don't allow you to see the compromised password corresponding to the login and vice versa.

Furthermore, keeping such data is subject to regulations. For instance, haveibeenpwned provides a way to request your personal data to be removed, most likely to fulfill the GDPR requirements.

Dmitry Grigoryev
  • 1,344
  • 11
  • 24