|
|
|
|
|
|
by UnoriginalGuy
4951 days ago
|
|
|
> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case? No. It is not. There is no legal compulsion to hash passwords. I believe Visa and Mastercard do require their vendors to do so however or risk losing their ability to process credit card payments. I also think that there is some US healthcare law that somewhat requires it. But in general there is no legal requirement to hash passwords. The lack of hashed passwords doesn't mean that there is a "user data compromise" within its own right. The reason companies hash passwords is so that if they ever get broken into that it means the bad guy has to spend several days or weeks breaking the password database which gives the company time to notify the users and the users time to change their passwords. Note: A lot of compromises go unnoticed and in those situations hashing offers little additional security (since the bad guy has infinity to crack the passwords). Note #2: Hashing also makes implementation easier since the length of passwords becomes uniform and you essentially eliminate things like SQL injection (since the raw password is never stored in the database). |
|
|
There's also a requirement to encrypt data in transit over insecure networks, or when stored on portable devices, including laptops, but that doesn't seem to apply to main servers wired into racks.
(As to whether these apply to you, well... IANAL; the law claims to apply to anyone who's storing data about Massachusetts residents, but I don't know how well that actually sticks to people who are physically located elsewhere.)
Official summary of the requirements:
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf