Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 5 Jun 2018 08:30:08 -0800
From: Royce Williams <royce@...ho.org>
To: passwords@...ts.openwall.com
Subject: Re: GDPR

On Tue, Jun 5, 2018 at 8:24 AM Royce Williams <royce@...ho.org> wrote:

> On Tue, Jun 5, 2018 at 8:12 AM Royce Williams <royce@...hsolvency.com>
> wrote:
>
>> On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org>
>> wrote:
>>
>>> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote:
>>>
>>> > GDPR very explicitly limits the "protected" category of "personal" info
>>> > to the data that can IDENTIFY a user.
>>> > A password can not identify you.
>>> > Therefore, GDPR does not prohibit password stealing
>>> > […]
>>> > That's all you need to know about your government.
>>>
>>> The GDPR also doesn’t prohibit murder. I do not consider that a problem
>>> with the GPDR.
>>>
>>
>> Also, due to users' (understandable) expectation of the privacy of a
>> password, passwords often contain highly personal information - even
>> including SSNs, DOBs, etc
>>
>> Also, since passwords can be unique and yet also shared across multiple
>> sites, being able to show that user@...mple.com has the same unique
>> passwords on two different websites is strong circumstantial evidence that
>> they're the same user.
>>
>> IANAL, but I think it's arguable that proper password storage (or lack
>> thereof) could be in scope. GDPR's mission is clearly intended to incent
>> data stewards to protect user data for which the misuse or compromise of
>> which could harm individual persons.
>>
>
> And by extension ... if any field or system allows entry of arbitrary
> text  - comment fields, password fields, etc - by the end user (or, for
> that matter, employees) ... then individuals acting outside of the intent
> of the design of the system can arbitrarily bring a system into scope.
>
> For those of us who have dealt with PCI, SOx, etc. ... if the customer
> service agent starts putting credit-card numbers into the comments field ..
> guess what? That's in scope.
>
> I think passwords are similarly positioned.
>

Also ...

In the case of passwords, if they're properly stored, the data steward
doesn't really know what's in them.  But they *could* have SSNs, email
addresses, DOBs, etc. in them (and very often do).

So I would expect any data steward worth their salt to err on the side of
caution, and *assume* that what's in there is sensitive enough to warrant
GDPR-level handling.

And honestly, that's the level of handling that it requires even if it's
*not* within GDPR's scope, IMO.

Royce

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.