Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

What Is Protected Personally Identifiable Information? Do I Really Have to Hash Users' Passwords?

This post is part of our ongoing Encryption Series that provides in-depth coverage of OpenSSL. To learn more about encryption key generation, management, and use please see the posts in the Encryption category. Our tips and tricks are immediately applicable with examples that you can use right away. If you like this article, you may be interested in the Raspberry Pi crypto key management project as well as Rietta’s Application Security Learning Center, our catalog of video resources on how to succeed with web application security.

The Short Answer

The legal answer depends on which Federal, State, and local laws apply to your company. And I am not a lawyer. However, for companies whose nexus is in Georgia, where my company is located, the Georgia General Assembly has given some guidance in the data breach law.

And yes, you really do have to hash your users’ passwords or you risk having to do a full blown Data Breach Notification if the user’s table is ever compromised!

The Details

The exact definition of personal information varies among states.

However, since my company is located in the State of Georgia, and so are many of our clients, I will use the Georgia State Data Breach Notification Law as an example.

OCGA 10-1-911 (Official Georgia State Law) defines it as:

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  • Social security number;
  • Driver’s license number or state identification card number;
  • Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
  • Account passwords or personal identification numbers or other access codes; or

The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

In general, the Georgia General Assembly has expressed concern over the threat of identity theft.

My understanding is that if you do not hash the passwords in your database and it is leaked then you have to do a full formal data breach notification. People tend to use the same passwords are multiple places. Secure hash algorithms with salting are your friends here.

Other Potentially Applicable Laws

In general, security standards are either required for all entities that handle certain information (law mandates) or by contractual agreements with a private party or a government agency.

U.S. Laws

  • State Data Breach Laws
  • Health Insurance Portability and Accountability Act
  • Gramm-Leach-Bliley Act
  • Sarbanes–Oxley Act of 2002 (SOX)
  • Family Educational Rights and Privacy Act (FERPA)

Contractual Agreements

  • Payment Card Industry Digital Security Standards (PCI-DSS)
  • Federal Data Security Standards
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems


Christian Kotscher

Great info Frank your the best.

John Grints

I agree. This is also the same with big companies. Passwords and other data should be safe and secured. Important files should be encrypted to ensure its safety and security. A company should also need to hire an excellent developer that knows how to do ethical hacking.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.