[louloulou]

"Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world."

-- excerpt from A Cypherpunk's Manifesto, Eric Hughes, March 9, 1993

[imoverclocked]

> March 9, 1993

It's funny (not haha-funny) how political policy in 2023 is still trying to catch up to morality understood 30 years ago. I remember being annoyed at newscasters abusing the term "hackers" in the late 90s and extremely broad definitions of "hacking" being applied in court-rulings. It must still be really difficult to comprehend tech and the consequences of these kinds of policies for policy makers. Either that or policy makers really are maleficent towards life, liberty and the pursuit of happiness.

[DocTomoe]

Oh, politics understands that alright, don't you worry about that. Politicians are the enemies of privacy for the masses, because a transparent population is a population that is easier controlled and manipulated.

That's also why terms are being used deliberately incorrectly, to move legitimate positions nearer to criminal activity. Just ask anyone interested in hobbyist chemistry.

[quickthrower2]

By that definition I would say secrecy is also necessary for an open society. For example my bank password is something I don’t want anyone to know.

[louloulou]

I agree, but I don't think that's a good example. The only reason for the existence of a bank password is to enable private interactions between yourself and the bank (and the government through their financial surveillance).

A better example would be encryption keys.

[quickthrower2]

I agree with that. And using your example automated encryption keys schemes, for example https.

[tialaramex]

In practice your bank password is indeed a secret, and that's a bad thing, because that above definition is wrong, which is why I prefer to think about the U2 lyric (from "The Fly"):

"They say a Secret is something you tell one other person, so I'm telling you, child".

The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.

It is possible to not have this happen via what's called an Augmented PAKE - the bank wouldn't know your password, but they'd be able to check you still remembered it - however almost certainly none of the systems you use today do this.

[coldtea]

>The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.

Normally banks can't and shouldn't know the password in most jurisdictions. It does pass to their server, but they're supposed to only store a hash of it, so not be able to know what it is.

But if anybody makes this BS argument, just ask them for the credit card number and the 3 digits on the back of the card, telling them you will post it online.

[joebob42]

Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?

Of course leaking the hash of my password might make it easier to crack, to some extent, but if they've done a good job then this is much better than it being something the bank can trivially lose.

[tialaramex]

> Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?

Putting aside the banks who literally do store the password because they have security procedures like "Please enter the first and fifth characters of your password" even those that do store a password hash still need you to submit your password to authenticate.

So, like the lyric says, you tell the bank your password. You hope they just use it to authenticate you and immediately discard it, but if bank security lapses are anything to go by they're probably logging it "for security" and there are definitely employees able to snoop the decrypted plaintext passwords from customers on some internal teams.

That is what Augmented PAKEs fix, it's really hard to do well, and of course banks see themselves as infinitely trustworthy so why would they bother.

This mistaken sense of self-worth applies to your credit card PIN by the way also, of course banks and thus bank employees can know your PIN, which means when a purchase is "secured" by the PIN that rules out some local pickpocket having made the purchase, but as well as you it leaves open the possibility that it was a bank employee or their co-conspirator.

[u801e]

> Don't they usually store a hash of it?

Any bank that restricts which characters one can include in a password probably doesn't store a hash of it.

[shkkmo]

This is completely false. You validate any password requirements before salting and hashing the password and then store the salt and hash. Even if you restrict usage of previous passwords, you are just comparing hashes.

[u801e]

If the bank is indeed salting and hashing the password, then what's the rationale of allowing certain special characters like '!', but not '+'? Hashing and salting should be character agnostic.

[jimmydorry]

Except you are giving them the password and trusting them to discard it after validating it. If it's purely client side, then the bank is trusting you to follow the password requirements which is also out of the question.