Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Jun 2018 08:12:40 -0800
From: Royce Williams <>
Subject: Re: GDPR

On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <>

> On Jun 5, 2018, at 1:04 AM, wrote:
> > GDPR very explicitly limits the "protected" category of "personal" info
> > to the data that can IDENTIFY a user.
> > A password can not identify you.
> > Therefore, GDPR does not prohibit password stealing
> > […]
> > That's all you need to know about your government.
> The GDPR also doesn’t prohibit murder. I do not consider that a problem
> with the GPDR.

Also, due to users' (understandable) expectation of the privacy of a
password, passwords often contain highly personal information - even
including SSNs, DOBs, etc

Also, since passwords can be unique and yet also shared across multiple
sites, being able to show that has the same unique
passwords on two different websites is strong circumstantial evidence that
they're the same user.

IANAL, but I think it's arguable that proper password storage (or lack
thereof) could be in scope. GDPR's mission is clearly intended to incent
data stewards to protect user data for which the misuse or compromise of
which could harm individual persons.


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.