Is there any legal reason to save a cleartext password?

The only instance where I can think of the FCC requiring that a password be clear is related to amateur radio, and even that isn't truly the case.

In six years at an audit firm, and all in everything I've ever read including a lot of court briefings, I've never heard anything that hints that such madness is actually justified anywhere.

It's not uncommon for CSRs to do a bit of social engineering. Their job is often much easier if they say it's required by something outside their company.


BBC has an article on huge companies challenging the French government over a new law requiring them to handover passwords to law enforcement on demand.

The government later claimed that it is sufficient to provide other credentials allowing access to the account in question. (Sorry, I cannot find an English source for this right now, without spending more time on it).

It is common for internet service providers to store passwords in clear text as I explained in this answer for the technical reasons of supported old protocols.


I don't know. I confess my first guess would be baloney or misunderstanding of the law.

In my experience, it is not uncommon for companies with dumb policies to blame those policies on security or on the federal government. Sometimes folks are acting in good faith and are just confused about what the law actually or security actually requires. Sometimes it is a calculated excuse to make customers shut up and deflect complaints.

(You can even see this on airplanes, where airplane attendants will tell you to do all sorts of things in the name of security (e.g., "for security, only use the lavatory in your ticketed cabin"), when there is actually no government regulation or reasonable security justification requiring that.)

Of course, there could actually be some stupid regulation requiring this -- but I'm pretty skeptical.

I would try to get a citation to the specific law or regulation (not just "it has to do with CPNI"). You could also try asking for the name of the government agency that they claim issues those regulations, then call up that agency to ask them point-blank if that's something they require and ask them for a citation and a copy of the regulation. In my experience, if I'm able to look at the actual regulation, it's not unusual to find that it doesn't actually require what people think or say it does.