|
|
|
|
|
|
by jarkhen
1977 days ago
|
|
|
> My company doesn't even hash passwords... I understand this is somewhat my privilege speaking here, but I don't think I could continue working at a company that didn't do something as basic as hashing passwords (and refused to prioritize fixing that as soon as I pointed it out). It's a massive ethical, if not legal (IANAL), liability -- and a huge breach of users' trust. It's 2021, hashing user passwords is astonishingly easy; I can't imagine any remotely justifiable excuse for something like that. |
|
|
> User passwords must be stored in a “hashed” form.
These guidelines aren't legal requirements for every service, but if a data breach occurred, and passwords were leaked, regulators would presumably point to this recommendation, and the ease of complying with it, and take that into consideration when issuing a fine.
[0] https://www.enisa.europa.eu/risk-level-tool/help