24

People often use personal information to create them, like first name / date of birth, and people often reuse passwords across several sites, so I guess passwords are considered personal data since they could identify its owner.

If a website doesn't follow best practices regarding password hashing, it could make the whole hashing process basically useless, so I guess password hashes are also considered personal data.

With GDPR, can I request a copy of my password hash?

Benoit Esnard
  • 341
  • 3
  • 8
  • 4
    IANAL but there is a big difference between a place/date of birth, which you cannot choose, and a password, which you should randomly generate. The former kind of information is intrinsecally identifying you. The latter only tangentially by using it multiple times. I.e. I don't think that your premise holds at all. Just because the rows in a DB have an id column identifying your record does not mean that is personal data and that you have the right to know it or modify/delete it. It's an internal identifier only. – Bakuriu May 28 '18 at 20:27
  • 2
    To be pedantic, IANAL and for sure I am not a GDPR expert, but I am 99.99999% sure that GDPR does not prohibit you from requesting a copy of your password hash. I suspect you meant does GDPR require that your request be fulfilled. I don't think so. I think they could not respond, respond with your password hash, or respond with random rubbish at their discretion and be within compliance. – emory May 29 '18 at 00:15
  • 2
    A correctly hashed password does not uniquely identify a person, as multiple passwords can yield the same hash, even if the passwords are different. This single fact makes the whole question moot. For some unknown reason my previous (upvoted) comment to this effect was removed. Please don't. It's relevant. – user207421 May 30 '18 at 00:17

2 Answers2

16

First of all, a password is not personal data.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From GDPR Article 4 (https://gdpr-info.eu)

As for password hashes, what do you mean by requesting a copy of yours? You can produce it if you knew the hashing algorithm of the website.

By the way, websites should be using good hashing algorithms, such as bcrypt or scrypt, not MD5 or SHA1.

Steve Woods
  • 419
  • 2
  • 13
  • Comments are not for extended discussion; this conversation has been moved to chat. – feetwet May 29 '18 at 19:14
  • "what do you mean by requesting a copy of yours? You can produce it" Could you clarify how this is different from requesting other data that they store about me after I supplied it (e.g. my date of birth)? They must provide that despite my already knowing it, so why would they not have to give me my password data? I also don't understand this statement: "a password is not personal data". The section you cite seems contradictory since my password is a binary number that identifies my natural person (unless they show others have the same password). Clarification would be greatly appreciated! – Luc Mar 17 '21 at 15:06
13

The way I see it, any information that can be associated with an identified or identifiable person is personal information. So password hashes are personal information because they are definitely stored in the database in a way that is clearly associated to your email or other data that can identify you. However, I think there are two things to consider:

  • You wouldn't really be asking to see your personal data (it's a hash, you can't see the password), but actually how your personal data is stored. You probably have no right to know the details about how they store your data exactly, except maybe an official statement where they claim to follow all the best security practices, or follow some standards, etc.
  • Sending the hash to you might actually invalidate their security policies, standards, or practices, because it doesn't sound like it's a great idea to communicate a password hash to a user. If it is securely stored and managed in their systems, why risking to lower their security by communicating the hash to a user?

For the above reasons I think the GDPR principle of "security of personal data" (section 2) is definitely more important than your right to see the hash for no reason.

reed
  • 1,838
  • 1
  • 11
  • 22
  • 5
    That's the problem with this overbearing regulation. As a small website owner, blogger, even an individual running a server, you have no realistic chance connecting the dots between an IPv4 address and an individual. Google, Facebook and other big corporations would be in the position to do that, along with nation states. But the regulation pretends that an IP can be (ab)used the same, no matter the context ... while at the same time failing to protect citizens from government overreach when it comes to personal data. – 0xC0000022L May 28 '18 at 14:39
  • 7
    @0xC0000022L. Whether GDPR is overbearing remains to see. We do not have any case-law yet. To my eyes, GDPR is almost identical to Directive 95/46/EC. We have 13 years of case-law for that, and the sky has not fallen. – Free Radical May 28 '18 at 14:44
  • @0xC0000022L, you could associate an IP with a user by looking up some specific paths in the logs that are only accessible to specific users. For example, the IP requesting a path like /users/JohnDoe/private-messages/123 is almost certainly JohnDoe. However you have the right to log IPs anyway, because AFAIK access logs are necessary for technical and security reasons. – reed May 28 '18 at 14:51
  • @reed: in such a scenario that's right. But considering a web service - say a forum - JohnDoe is probably anyway the pseudonymous handle the privacy conscious user chose to go with. So while I can tell that "John Doe" was using IP x.y.z.a, that's about it. The best I can do as small website owner is attempting a very very coarse geo-location of the IP. So Google, having metadata about Android usage as well as countless web searches and tracking will probably be able to find my real name and/or address through all kinds of cross-referencing the sheer amount of data they collect. – 0xC0000022L May 28 '18 at 14:59
  • No, the regulation specifically takes into account whether you're doing this kind of association or not; if you don't associate IP addresses with users, then they aren't actually personal data. – pjc50 May 28 '18 at 15:01
  • 1
    @pjc50: this isn't true EU-wide then. I happen to know that in Germany IP addresses have been considered personal data even prior to the passing of the GDPR in 2016. – 0xC0000022L May 28 '18 at 15:02
  • 5
    @0xC0000022L, you can do a lot of things with IP addresses. You can associate it with a nickname, which in turn is usually associated with an email, etc. You can track all pages visited in a session, the times, etc. You can geolocate it, and see any changes in the geolocation to try to guess where the user has moved. It is personal data. If you don't use that, it's ok, just say that IPs are logged for technical reasons. But if you do use it and process it along with other personal data, then it must be accepted by the user and written in your privacy policy. This is all off-topic here though. – reed May 28 '18 at 15:19
  • @0xC0000022L I'd be interested in a citation for that, even if it's in German; there's a real lack of clarity on this issue – pjc50 May 28 '18 at 15:59
  • @pjc50: latest ruling confirming that classification of IPs that I know of by the BGH is from May 2017, filed as VI ZR 135/13. It seems to come down roughly to what reed pointed out. If you have the means to map an IP to an individual, it falls into that classification. Alas, the means aren't limited to "legal means" (think an ISP being handed a warrant) per-se. So the disparity between big corporations and small website owners remains. – 0xC0000022L May 28 '18 at 16:28
  • 3
    @0xC0000022L Small website operators tend to be less careful / knowledgeable about security, increasing the risk of their databases falling into the hands of governments / criminal organizations. I'm no legal expert, but the argument that "They're too small to know what to do with the data anyway" should not exempt them from needing to handle it properly. – Mike Ounsworth May 28 '18 at 19:59
  • 3
    In 2016 the Court of Justice (EU) has judged that a dynamic ip address is considered personal data, see this press release: https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-10/cp160112en.pdf – wimh May 28 '18 at 20:11
  • @MikeOunsworth that not at all my argument, though. – 0xC0000022L May 28 '18 at 20:53
  • If the user has only username + password and no other identification (name, address, etc.), is this hash still "personal data"? I think GDPR will have revision soon. – i486 May 29 '18 at 10:47
  • I would dispute the fact that the password hash is personal information. Most information ultimately has a person as a source. That doesn't mean it's personal information. While data like name, height, weight, gender etc. is directly connected with your person, a password is just a piece of data you make up that has no connection with you as a person other than you as an originator. – Sefe May 29 '18 at 13:46