Is it legal to save user passwords in clear text? How can I convince my client to avoid it? [closed]

Solution 1:

I don't think you will find any one all encompassing law that applies everywhere, and I don't think you will find anything that describes specifically how to store a password.

There are a large number of standards related to security issues particular fields and types of services. Most of these standards include some information about how authentication credentials are supposed to be stored and kept secure. Failure to follow these standards can lead to legal problems.

• Banking (PCI)
• Health (HIPAA)
• Schools (FERPA)

Solution 2:

The prime directive in the EU is known as the "Data Protection Directive". Member states implement their own laws that are expected to be consistent with the directive. It is similar to the PCI standard in that it is vague and verbose. However, there are seven general principles that are mostly common sense. The one that may be of interest to you is #4:

Security—collected data should be kept secure from any potential abuses;

And Article 17:

Article 17 - Security of processing

1. "Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

"Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected." ... (remainder elided).

http://en.wikipedia.org/wiki/Data_Protection_Directive

EU site: (good luck navigating this)

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

I don't think the practice of storing passwords in clear text would be acceptable in the EU, because: implementing a password hash is trivial and does not increase costs; this is contrary to generally-accepted security best practices; and it would almost certainly fail an external audit, as there is the potential for abuse if the passwords were disclosed, and you have no way of validating the person using the password is who they claim to be (i.e., you only use passwords for authentication and no second factor).

To facilitate commerce, the US and the EU have a "safe harbor" agreement, that allows US companies to collect data from EU citizens, as long as they "self-certify" with the US Department of Commerce that it complies with seven principles.

The EU-US Safe Harbor Does Not Protect US Companies with Unsafe Privacy Practices:

http://writ.news.findlaw.com/ramasastry/20091117.html

Solution 3:

IANAL, but I don't think there is any law saying you have to. It could also vary a lot depending on what type of data it is. It is very poor practice and a security risk.

Be very careful with legal questions on these sites. You have no idea who really knows law and not. With any major issues depending on your organization, you should consult a real lawyer concerning these issues.

Solution 4:

I've just finished reading IDC White Paper which had some interesting viewpoints on user detail storage within the EU.

Solution 5:

What you can and can't do with employee's data varies from state to state in the US. For instance CMR 17 in Massachusetts puts a bunch of constraints on how you handle employee data. This law was put in place to help reduce ID theft.

The problem with passwords, especially when dealing with people who don't know or care to know much about security, is that they will often use the same password for all their accounts. So any publication or leak of those could put those people or the business at risk.