24

People often use personal information to create them, like first name / date of birth, and people often reuse passwords across several sites, so I guess passwords are considered personal data since they could identify its owner.

If a website doesn't follow best practices regarding password hashing, it could make the whole hashing process basically useless, so I guess password hashes are also considered personal data.

With GDPR, can I request a copy of my password hash?

Improve this question
3
  • 4
    IANAL but there is a big difference between a place/date of birth, which you cannot choose, and a password, which you should randomly generate. The former kind of information is intrinsecally identifying you. The latter only tangentially by using it multiple times. I.e. I don't think that your premise holds at all. Just because the rows in a DB have an id column identifying your record does not mean that is personal data and that you have the right to know it or modify/delete it. It's an internal identifier only.
    – Bakuriu
    Commented May 28, 2018 at 20:27
  • 2
    To be pedantic, IANAL and for sure I am not a GDPR expert, but I am 99.99999% sure that GDPR does not prohibit you from requesting a copy of your password hash. I suspect you meant does GDPR require that your request be fulfilled. I don't think so. I think they could not respond, respond with your password hash, or respond with random rubbish at their discretion and be within compliance.
    – emory
    Commented May 29, 2018 at 0:15
  • 2
    A correctly hashed password does not uniquely identify a person, as multiple passwords can yield the same hash, even if the passwords are different. This single fact makes the whole question moot. For some unknown reason my previous (upvoted) comment to this effect was removed. Please don't. It's relevant.
    – user207421
    Commented May 30, 2018 at 0:17

2 Answers 2

Reset to default
16

First of all, a password is not personal data.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From GDPR Article 4 (https://gdpr-info.eu)

As for password hashes, what do you mean by requesting a copy of yours? You can produce it if you knew the hashing algorithm of the website.

By the way, websites should be using good hashing algorithms, such as bcrypt or scrypt, not MD5 or SHA1.

Improve this answer
2
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – feetwet
    Commented May 29, 2018 at 19:14
  • "what do you mean by requesting a copy of yours? You can produce it" Could you clarify how this is different from requesting other data that they store about me after I supplied it (e.g. my date of birth)? They must provide that despite my already knowing it, so why would they not have to give me my password data? I also don't understand this statement: "a password is not personal data". The section you cite seems contradictory since my password is a binary number that identifies my natural person (unless they show others have the same password). Clarification would be greatly appreciated!
    – Luc
    Commented Mar 17, 2021 at 15:06
13

The way I see it, any information that can be associated with an identified or identifiable person is personal information. So password hashes are personal information because they are definitely stored in the database in a way that is clearly associated to your email or other data that can identify you. However, I think there are two things to consider:

  • You wouldn't really be asking to see your personal data (it's a hash, you can't see the password), but actually how your personal data is stored. You probably have no right to know the details about how they store your data exactly, except maybe an official statement where they claim to follow all the best security practices, or follow some standards, etc.
  • Sending the hash to you might actually invalidate their security policies, standards, or practices, because it doesn't sound like it's a great idea to communicate a password hash to a user. If it is securely stored and managed in their systems, why risking to lower their security by communicating the hash to a user?

For the above reasons I think the GDPR principle of "security of personal data" (section 2) is definitely more important than your right to see the hash for no reason.

Improve this answer
14
  • 5
    That's the problem with this overbearing regulation. As a small website owner, blogger, even an individual running a server, you have no realistic chance connecting the dots between an IPv4 address and an individual. Google, Facebook and other big corporations would be in the position to do that, along with nation states. But the regulation pretends that an IP can be (ab)used the same, no matter the context ... while at the same time failing to protect citizens from government overreach when it comes to personal data.
    – 0xC0000022L
    Commented May 28, 2018 at 14:39
  • 7
    @0xC0000022L. Whether GDPR is overbearing remains to see. We do not have any case-law yet. To my eyes, GDPR is almost identical to Directive 95/46/EC. We have 13 years of case-law for that, and the sky has not fallen.
    – Free Radical
    Commented May 28, 2018 at 14:44
  • 5
    @0xC0000022L, you can do a lot of things with IP addresses. You can associate it with a nickname, which in turn is usually associated with an email, etc. You can track all pages visited in a session, the times, etc. You can geolocate it, and see any changes in the geolocation to try to guess where the user has moved. It is personal data. If you don't use that, it's ok, just say that IPs are logged for technical reasons. But if you do use it and process it along with other personal data, then it must be accepted by the user and written in your privacy policy. This is all off-topic here though.
    – reed
    Commented May 28, 2018 at 15:19
  • 3
    @0xC0000022L Small website operators tend to be less careful / knowledgeable about security, increasing the risk of their databases falling into the hands of governments / criminal organizations. I'm no legal expert, but the argument that "They're too small to know what to do with the data anyway" should not exempt them from needing to handle it properly.
    – Mike Ounsworth
    Commented May 28, 2018 at 19:59
  • 3
    In 2016 the Court of Justice (EU) has judged that a dynamic ip address is considered personal data, see this press release: curia.europa.eu/jcms/upload/docs/application/pdf/2016-10/…
    – wimh
    Commented May 28, 2018 at 20:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .