4

Regardless of how the password was obtained (decryption, bad hashing, confession):

  • Are there any prior known cases where the contents of the password was used to prove motive or guilt?

Or, looking at it from the perspective of an ISP doing anti-fraud checks: suppose 2 accounts have the same password hash; assume they also chose a very complex password, so any collision is unlikely to occur by chance.

Then the secondary account does something bad.

  • Is it conceivable that the other account would be investigated just because of the similar hash?
  • If the hash was unique enough could it be considered culpable by association?
makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • Related [Is there any legal reason to save a cleartext password?](http://security.stackexchange.com/q/5865/396) – makerofthings7 Oct 23 '14 at 17:21
  • 2
    A nit, but if that entity can distinguish two people having the same password, they sorely need to replace their password hashing algorithm. – Stephen Touset Oct 23 '14 at 17:30
  • 2
    @StephenTouset One step further, if you can infer anything about one password based on another password's hash, they sorely need to replace their password hashing scheme. – RoraΖ Oct 23 '14 at 17:39
  • If you use "I fought the law" as your password, you can only ever expect that the law will win. – gowenfawr Oct 23 '14 at 18:11

2 Answers2

2

Technically this could happen. Although I couldn't find any recorded cases.

Under key disclosure law several countries can obtain your decryption keys, if those keys were incriminating or a confession, there is nothing barring them from using it against you in court.

In the US, the 4th (edited as per comment!! my bad.) amendment protects you from giving up an encryption key until it is ruled you have to by judge and jury. If the key is obtained before the ruling it can be thrown out and not used against you.

As for the identical hash thing - if you have identical hashes - your password scheme sucks and can be easily cracked with a rainbow table or john the ripper. If the password is cracked/guessed and contains incriminating evidence it can be used against you or the FBI will not hesitate to boast that they guessed it and did not require a ruling.

essefbx
  • 172
  • 12
  • _In the US, the 5th amendment protects you from giving up an encryption key until it is ruled you have to by judge and jury. If the key is obtained before the ruling it can be thrown out and not used against you._ Unless you reveal it willingly, of course. – user2752467 Dec 14 '14 at 21:53
  • 1
    Touché. I've heard of lots of cases where intimidation and flat out lies were used to get people to give up their phone pins and passwords. – essefbx Mar 25 '15 at 17:03
  • 1
    That certainly happens, and it would be up to a judge to determine if the police crossed a line (and specific laws will vary by jurisdiction). Police in the United States are generally allowed to lie about what rights you do and don't have, though. Also, now that I think about it, it's the Fourth Amendment you're thinking about, not the Fifth. – user2752467 Mar 27 '15 at 00:28
2

Not the perfect answer but here is one case that I wanted to share. I know one case which I don't believe is published which had great media attention. This was the case of Tyler Clementi (the gay teen who committed suicide). In this case Dharun Ravi was indicted on a few counts.

During the media frenzy and the trial by media there were instance where Dharun's Password was reported as an indication of his personality (His password as in news reports was "DHARUNISAWESOME").

So while I am not sure if it actually was discussed in court or if it in anyway directly affected the judgement as one of the facts in the case, it did receive a lot of attention in the media.

Regarding the Hash - that seems a bit far fetched - here it would require,

  1. No salt used - since if salt is used the hashes for the same password will be different.
  2. Investigators must have a bunch of hashes that can be compared.
  3. And if you can associate similar words in an unsalted hash that would also mean that is a poor hashing scheme.

So all in all I feel it is unlikely that password hashes itself (by comparing) could be used against someone as that would involve too many other factors to consider.

Y123
  • 458
  • 6
  • 16