Plaintext Passwords: Financial Regulations

TL;DR

Storing passwords in plaintext by financial companies is highly illegal and a massive cyber security risk. Strict regulations like GDPR, PCI DSS (if card data is involved), and industry-specific rules mandate strong encryption and hashing practices. You’ll face severe penalties for non-compliance.

Understanding the Problem

Financial companies handle sensitive customer information, making them prime targets for cyber attacks. Storing passwords in plaintext – meaning readable text – is one of the worst possible security practices. If a system is breached, attackers gain immediate access to all user accounts.

Regulations You Need To Know

1. General Data Protection Regulation (GDPR): While not password-specific, GDPR requires appropriate technical and organisational measures to protect personal data, including passwords. Plaintext storage fails this requirement spectacularly.
2. Payment Card Industry Data Security Standard (PCI DSS): If your company processes, stores or transmits cardholder data, PCI DSS applies. It explicitly demands that passwords must be protected using strong encryption techniques.
3. Financial Conduct Authority (FCA) & Prudential Regulation Authority (PRA) Rules: The FCA and PRA set standards for financial firms in the UK. These rules often reference GDPR and require robust cyber security measures, implicitly prohibiting plaintext password storage.
4. Industry Best Practices (NIST, OWASP): Although not laws themselves, following guidelines from organisations like NIST (National Institute of Standards and Technology) and OWASP (Open Web Application Security Project) is considered a best practice and can be used as evidence of due diligence in case of an audit.

What You *Must* Do Instead

Here’s how to store passwords securely:

1. Hashing: Use strong hashing algorithms like Argon2, bcrypt or scrypt. These algorithms transform the password into a one-way string of characters.
2. Salting: Add a unique random value (the ‘salt’) to each password before hashing. This prevents attackers from using pre-computed tables (‘rainbow tables’) to crack passwords.
3. Key Stretching: Repeat the hashing process multiple times, making it computationally expensive for attackers to brute-force the passwords. Argon2 and bcrypt handle this automatically.
4. Never Store Passwords in Plaintext: This seems obvious, but it’s worth repeating!

Example (Python with bcrypt)

This is a simplified example for demonstration purposes only. Always use well-vetted libraries and follow security best practices.

import bcrypt

password = b"mysecretpassword"
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password, salt)

print("Hashed password:", hashed_password)

# To verify a password:
if bcrypt.checkpw(b"mysecretpassword", hashed_password):
    print("Password matches!")
else:
    print("Password does not match.")

Auditing and Compliance

1. Regular Security Audits: Conduct regular audits to ensure your password storage practices meet regulatory requirements.
2. Penetration Testing: Hire external cyber security experts to perform penetration tests, simulating real-world attacks to identify vulnerabilities.
3. Data Encryption at Rest and in Transit: Protect passwords not only when stored but also during transmission (e.g., using TLS/SSL).

Penalties for Non-Compliance

The penalties for violating data protection regulations can be severe, including:

• GDPR Fines: Up to £17.5 million or 4% of annual global turnover (whichever is higher).
• PCI DSS Fines: Vary depending on the severity and scope of the breach, but can be substantial.
• Reputational Damage: Loss of customer trust and brand value.
• Legal Action: Lawsuits from affected customers.