TL;DR
Yes, login credentials (usernames, passwords) and answers to secret questions can be considered Personally Identifiable Information (PII) under the EU’s GDPR. Treat them with the same care as names, addresses, or email addresses.
Understanding PII Under GDPR
The General Data Protection Regulation (GDPR) defines PII broadly as any information that can directly or indirectly identify an individual. This isn’t just obvious data like names and dates of birth; it includes anything that, when combined with other data, could lead to someone being identified.
Why Login Credentials Are PII
- Direct Identification: A username directly links to a specific account holder.
- Indirect Identification: While a password itself isn’t identifying, it grants access to an account containing PII. Combined with the username, it’s enough to identify someone.
- Secret Questions & Answers: These are often based on personal details (mother’s maiden name, pet’s name, etc.). Even if not directly obvious, they can be used to pinpoint an individual.
What Does This Mean for You?
If you collect and process login credentials or secret question answers, you must comply with GDPR requirements.
Steps to Comply with GDPR
- Data Minimisation: Only collect the data absolutely necessary. Do you *really* need a pet’s name for security questions?
- Hashing & Encryption: Never store passwords in plain text! Use strong hashing algorithms (e.g., bcrypt, Argon2) with salting.
# Example using Python and the hashlib library (for demonstration only - use a dedicated password library for production) import hashlib salt = 'your_salt' hash_object = hashlib.sha256((username + salt).encode()) password_hash = hash_object.hexdigest() - Secure Storage: Protect the database storing credentials with encryption at rest and in transit (HTTPS).
Ensure your servers are properly secured against unauthorized access.
- Access Control: Limit who can access this data. Implement strong authentication and authorization mechanisms.
- Use multi-factor authentication (MFA) wherever possible.
- Data Subject Rights: Be prepared to handle requests from users regarding their data:
- Right of Access: Users can request a copy of the data you hold about them.
- Right to Erasure (Right to be Forgotten): Users can ask you to delete their data.
- Right to Rectification: Users can correct inaccurate data.
- Privacy Policy: Clearly explain in your privacy policy what login details you collect, how you use them, and how you protect them.
- Data Breach Notification: Have a plan in place to notify authorities (and users) in the event of a data breach.
Secret Questions – A High-Risk Area
Secret questions are particularly problematic because answers often become publicly known through social media or data breaches. Consider alternatives:
- Passwordless Authentication: Use email links, biometrics, or authenticator apps instead of passwords and secret questions.
- Risk-Based Authentication: Assess the risk level based on factors like location and device before requiring additional verification.