5

Is one required to hash passwords by law in the US or elsewhere? If not required by law, are there legal ramifications if unhashed passwords are stolen?

If not required in the US, but required in the EU, can one legally do business in the EU without hashing passwords?

Mike Samuel
  • 3,873
  • 18
  • 25
MikeNereson
  • 150
  • 5
  • The answers given suggest this is geography and domain specific. – MikeNereson Nov 01 '11 at 17:05
  • "If not required in the US, but required in the EU, can one legally do business in the EU without hashing passwords?" IMO, one can legally have most businesses in any countries without passwords at all. I feel that this question is too vague to guess what it asks about and in which contexts. Hashing is an implementation detail (of something which was not even formulated in question). I shall be highly surprised if any laws would have stipulated technical details of implementation and realization of any principles – Gennady Vanin Геннадий Ванин Nov 03 '11 at 11:06

5 Answers5

4

I think it's required by different security/governance standard, like PCI, NIST, and SOX.

So you if you store your passwords in the clear you may not pass these certifications and as a results you may end up in court.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
AaronS
  • 2,575
  • 5
  • 22
  • 26
  • This answer could be improved (or proven incorrect) by looking up these security standards and quoting the relevant sections. Can you please do that? Educated but plausible guesses are a good way to inadvertently spread misinformation... or so I have heard. – Philipp Oct 19 '17 at 11:14
3

It depends on what you are protecting. If it is personally sensitive info, credit card info or similar them you must protect it appropriately. Storing passwords in the clear would not be appropriate in these cases!

Credit card protection requirements are global (PCI-DSS), data protection laws exist in Europe, USA and other regions eg DPA 1998 in UK. In the US, Gramm-Leach-Bliley Act protects personal financial information; Fair Credit Reporting Act protects credit history information; Health Insurance Portability and Accountability Act protects health information.

Also, have a read of Thomas Pornin's blog post on this - Why passwords should be hashed - this will give a greater insight.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
3

Unless you have a very specific requirement to not hash them, hash them, it's simple and covers your behind if anything does happen where that data could be leaked. There are fairly simple implementations to make it take an unreasonable amount of time to crack a table of passwords, let alone a stupid amount of time to crack one.

Generally: you won't get in trouble for not hashing them, you will get in trouble if it gets leaked.

StrangeWill
  • 1,593
  • 8
  • 13
2

If not required by law, are there legal ramifications if unhashed passwords are stolen?

That statement is something of an oxymoron.

IME (IANAL) almost every country has a legal concept of duty of care. So even in the absence of specific legislation regarding passwords, you are liable for management of all data you store. This does however move the issue from criminal to civil law (where such distinctions apply).

symcbean
  • 18,418
  • 40
  • 74
0

There is nothing in the laws on hashing passwords.

The only requirement is retention of passwords or data permitting to check or change them.

Update:
Hashing is an implementation detail (of something which was not even formulated in question).

I definitely shall be highly surprised if any law would have stipulated technical details of implementation and realization of any principles

Update2:
"Is there any legal reason to save a cleartext password?" here, on the same board, discusses the US FCC requirement to store passwords in clear text

Community
  • 1
Gennady Vanin Геннадий Ванин
  • 920
  • 5
  • 11