Date: Tue, 5 Jun 2018 08:24:44 -0800 From: Royce Williams <royce@...ho.org> To: passwords@...ts.openwall.com Subject: Re: GDPR On Tue, Jun 5, 2018 at 8:12 AM Royce Williams <royce@...hsolvency.com> wrote: > On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org> > wrote: > >> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote: >> >> > GDPR very explicitly limits the "protected" category of "personal" info >> > to the data that can IDENTIFY a user. >> > A password can not identify you. >> > Therefore, GDPR does not prohibit password stealing >> > […] >> > That's all you need to know about your government. >> >> The GDPR also doesn’t prohibit murder. I do not consider that a problem >> with the GPDR. >> > > Also, due to users' (understandable) expectation of the privacy of a > password, passwords often contain highly personal information - even > including SSNs, DOBs, etc > > Also, since passwords can be unique and yet also shared across multiple > sites, being able to show that user@...mple.com has the same unique > passwords on two different websites is strong circumstantial evidence that > they're the same user. > > IANAL, but I think it's arguable that proper password storage (or lack > thereof) could be in scope. GDPR's mission is clearly intended to incent > data stewards to protect user data for which the misuse or compromise of > which could harm individual persons. > And by extension ... if any field or system allows entry of arbitrary text - comment fields, password fields, etc - by the end user (or, for that matter, employees) ... then individuals acting outside of the intent of the design of the system can arbitrarily bring a system into scope. For those of us who have dealt with PCI, SOx, etc. ... if the customer service agent starts putting credit-card numbers into the comments field .. guess what? That's in scope. I think passwords are similarly positioned. Royce Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.