This headline reminded me of this thread. Is specifically about the Data Protection Laws you mentioned, I believe.
http://arstechnica.com/security/2013/01/sony-fined-395000-for-2011-hack-of-its-playstation-network/ On Thu, Jan 17, 2013 at 4:39 AM, Rakesh <[email protected]> wrote: > And who exactly is going to do the prosecuting and which law was broken? > > The closest thing I know is UK-specific, banks have been fined for losing > customer data under UK Data Protection Laws. No one goes to jail though. > > > > > On 17 January 2013 08:49, Jim Cheesman <[email protected]> wrote: > >> Certainly is enforceable, there are two clear scenarios that come to mind >> immediately (there may well be more): >> >> 1. A hacker gets into your system, and publishes a complete dump of your >> database. >> >> 2. Suspected crime, and a government agency (with appropriate warrant) >> gets a copy of your database. >> >> In both cases your database is no longer in your hands, and your password >> policy is on display. The very least you should do is store password >> hashes, which provide at least some minimal security both for your users >> and CYA. >> >> >> >> On Wednesday, 16 January 2013 16:19:34 UTC+1, rakesh mailgroups wrote: >> >>> tomorrow I decide to build a website that takes credentials. >>> >>> I don't see if I choose to store the passwords or not, encrypted or not, >>> is governed by some law. Its not enforceable. >>> >>> Obviously, as a professional, I would want to make sure the decision I >>> make does not lead to issues with my business. >>> >>> When Sony was hacked, no government prosecuted them (I believe). >>> >>> Rakesh >>> >>> >>> On 16 January 2013 12:06, Ryan Schipper <[email protected]> wrote: >>> >>>> Definitely the more purist approach. Less value for investigations. >>>> >>>> In reality, Most organisations choose to take the chance on this in >>>> order to assist investigations when necessary >>>> >>>> Smart software could also check whether the username is valid prior to >>>> including it in the log. Though this could open the possibility of timing >>>> attacks. The whirling dervish of security strikes again.... >>>> On 15/01/2013 10:13 AM, "Josh Berry" <[email protected]> wrote: >>>> >>>>> I thought it was actually best practice to not even record the >>>>> username. Since a very conceivable mistake is to forget to tab over to >>>>> the >>>>> password field and then submit the form after typing username and password >>>>> into the same field. Perhaps only storing a hash might be safe. >>>>> >>>>> Regardless, does seem in the questionable category of even being >>>>> useful, and instead just opening you up to further attacks. I view it (in >>>>> what I do not think of as a controversial view) as the username/password >>>>> of >>>>> users is actually valuable information. As much so as credit card >>>>> numbers. Treat it as such. >>>>> >>>>> (None of this is to say Ryan's answer is incorrect in any shape form >>>>> or fashion.) >>>>> >>>>> >>>>> On Mon, Jan 14, 2013 at 5:16 PM, Ryan Schipper <[email protected]>wrote: >>>>> >>>>>> As to the legality, I think the correct question is: is it legal to >>>>>> store the password (as entered or some derived form, such as a hash)? >>>>>> >>>>>> Auditing failed login attempts (the username, a timestamp, etc) is an >>>>>> extremely common practice - in fact, Australian information security >>>>>> standards require it and common professional security certifications >>>>>> (CISSP >>>>>> etc) recommend it. I'd be very surprised if it illegal to track this sort >>>>>> of information within the EU. These logs are invaluable in conducting >>>>>> internal fraud or security investigations. >>>>>> >>>>>> That said, why does the password (in particular) need to be tracked? >>>>>> I can think of a very good reason not to track it: mistyped passwords. >>>>>> Consider how many times you mistype your password. If a computer system >>>>>> were to track my mistyped passwords, the database containing those would >>>>>> become a treasure trove for internal fraudsters. >>>>>> >>>>>> I can't think of a sane security professional that would recommend >>>>>> tracking passwords in this manner - usernames and timestamps, absolutely, >>>>>> but not passwords. >>>>>> >>>>>> PS. As usual, if you or your client are legitimately concerned, you >>>>>> should be consulting a practicing lawyer, not a list of Java doods. =) >>>>>> >>>>>> -- Ryan >>>>>> >>>>>> On 15 January 2013 08:30, Fabrizio Giudici <[email protected]* >>>>>> *> wrote: >>>>>> >>>>>>> On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> That depends on what you mean by "retain". >>>>>>>> >>>>>>> >>>>>>> I suppose he means the credentials are logged, or stored somewhere >>>>>>> not just in order to re-render a page. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. >>>>>>> "We make Java work. Everywhere." >>>>>>> http://tidalwave.it/fabrizio/**b**log<http://tidalwave.it/fabrizio/blog>- >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Java Posse" group. >>>>>>> To post to this group, send email to [email protected]. >>>>>>> To unsubscribe from this group, send email to javaposse+...@** >>>>>>> googlegr**oups.com. >>>>>>> >>>>>>> For more options, visit this group at http://groups.google.com/** >>>>>>> group**/javaposse?hl=en<http://groups.google.com/group/javaposse?hl=en> >>>>>>> . >>>>>>> >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Java Posse" group. >>>>>> To post to this group, send email to [email protected]. >>>>>> To unsubscribe from this group, send email to javaposse+...@** >>>>>> googlegroups.com. >>>>>> >>>>>> For more options, visit this group at http://groups.google.com/** >>>>>> group/javaposse?hl=en<http://groups.google.com/group/javaposse?hl=en> >>>>>> . >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Java Posse" group. >>>>> To post to this group, send email to [email protected]. >>>>> To unsubscribe from this group, send email to javaposse+...@** >>>>> googlegroups.com. >>>>> >>>>> For more options, visit this group at http://groups.google.com/** >>>>> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Java Posse" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to javaposse+...@** >>>> googlegroups.com. >>>> >>>> For more options, visit this group at http://groups.google.com/** >>>> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Java Posse" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/javaposse/-/XAIX9KBuS8cJ. >> >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/javaposse?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
