Passwords are by their nature unverifiable by eye-witness testimony. If a person had a password that they were obligated by law not to divulge, if it were stolen, would not be able to prove what it had been.
Password theft is currently a crime in some jurisdictions, but it might not be clear who should be prosecuted – the thief or the negligent owner? What would be criminal negligence? A Government clearance password would be theoretically no different that a minor’s Facebook password. Boy friends and wives or injured lovers might steal a password with different intentions than a corporate competitor or spy. Even two persons at a single corporation would differ from an industrial competitor.
Leaving aside the context of the abuse, the provenance of a single password might be impossible to verify. Taking a cue from anti-virus programs, the legitimate owner could be asked to stop access, in a quarantine move, if a password came to be in question. Another login with the legitimate password would not indemnify the user against collusion charges, but any change of the password by an unauthorized user would be an action that could be prosecuted from a different theoretical perspective.
Feedback would assist this as a discussion. Would a law that makes changing the password illegal ever catch anyone? Is there some unforseen way that this could convict the innocent.
Updated 06/06 – Arguably the ability to “own” a password, is the ability to change it. If you cannot change it, you do not own the password, and if you change someone else’s, it has become stolen. They no longer “have” their password, and they cannot change it back.
Updated 09/20 – An RSA Public Key might not be subject to the idea of theft. However, the associated Private Key can theoretically be duplicated, which suffices to steal it. In practice this is difficult to do. For legal purposes, it cannot be done by accident. Under the condition that someone has “stolen,” my Private Key, my remedy is to use a revocation certificate, to revoke my Key-Pair. If an attacker duplicates my revocation certificate, and revokes my Key-Pair against my wishes, that is a different offense than duplicating the private key, and reading my private messages. While this parallels the discussion above, it is not resolved with the same degree of satisfaction.