Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Jun 2018 08:24:44 -0800
From: Royce Williams <royce@...ho.org>
To: passwords@...ts.openwall.com
Subject: Re: GDPR

On Tue, Jun 5, 2018 at 8:12 AM Royce Williams <royce@...hsolvency.com>
wrote:

> On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org>
> wrote:
>
>> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote:
>>
>> > GDPR very explicitly limits the "protected" category of "personal" info
>> > to the data that can IDENTIFY a user.
>> > A password can not identify you.
>> > Therefore, GDPR does not prohibit password stealing
>> > […]
>> > That's all you need to know about your government.
>>
>> The GDPR also doesn’t prohibit murder. I do not consider that a problem
>> with the GPDR.
>>
>
> Also, due to users' (understandable) expectation of the privacy of a
> password, passwords often contain highly personal information - even
> including SSNs, DOBs, etc
>
> Also, since passwords can be unique and yet also shared across multiple
> sites, being able to show that user@...mple.com has the same unique
> passwords on two different websites is strong circumstantial evidence that
> they're the same user.
>
> IANAL, but I think it's arguable that proper password storage (or lack
> thereof) could be in scope. GDPR's mission is clearly intended to incent
> data stewards to protect user data for which the misuse or compromise of
> which could harm individual persons.
>

And by extension ... if any field or system allows entry of arbitrary text
- comment fields, password fields, etc - by the end user (or, for that
matter, employees) ... then individuals acting outside of the intent of the
design of the system can arbitrarily bring a system into scope.

For those of us who have dealt with PCI, SOx, etc. ... if the customer
service agent starts putting credit-card numbers into the comments field ..
guess what? That's in scope.

I think passwords are similarly positioned.

Royce

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.