Is it illegal to know someone's password?

(this topic was solved - can a moderator close this?)

I’m not from Romania, but in general your admin dashboard (where you see and control user info) should be locked down with passwords, one time access codes etc. And passwords should be hashed and salted, also- the user should have the right to see what your collecting under GDPR regulations.

5 Likes

i mean, if you do not have a log-in system, you don’t need a privacy policy?

could you explain? any info collected from auth forms should be requestable by the user

Say I sign up to your site- I should have the right to ask for my IP, or my username and stuff like that. But only after I have gone through a thorough process to prove my identity

5 Likes

Follow these steps:

  1. lock down the page where you can see user info- all passwords should be hashed and not be seen, not even by admins.

  2. Allow people to request data you collect, discord for example offers users the option to see what info discord has collected. In this case make sure they can prove their identity

  3. Make a privacy notice- tell people where and what their data is going to be used for.

Admins should be people who can be trusted not to disclose user info to the outside world

Might not apply: https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

4 Likes

If you collect any user information, you should add a Privacy Policy and be specific on what info you collect.

Edit: I typed this before 17lwinn posted this so I don’t mean for this to be a duplicate

4 Likes

@LankyBox01 also, you should only collect relevant user data (passwords, usernames etc) and destroy them when they are no longer needed.


@aboutDavid thanks for the extra reply!

5 Likes

Also, you should hash your users passwords using something like bcrypt. And if you impersonate users you (possible, maybe) could be sued/your users could lose their trust in you.

5 Likes

From experience- even the tightest systems can be penetrated by a backdoor. Admin interfaces especially should be handled with caution.

2 Likes

I am collecting it in case someone forgets their password, or is hacked, so admins can run the users through a test to check if they actually are “themselves” so they can give the password back to them.
So i don’t think i can destroy the info…

Also, i am keeping them in the .env file

No, you should allow them to reset their password instead of giving it to them. If you store non-hashed passwords, then you are vulnerable to database breaches and your users will be really mad at you because you could have prevented it but you just didn’t hash passwords.

3 Likes

i don’t think i can do that.

firstly, never keep passwords in .env- projects can be hijacked and the .env is never 100% safe.

Always store in a safe place- like a hidden folder or external service like mongodb atlas.

5 Likes

how can i make a file allowed only for certain google accounts?

Just use Firebase Auth. It’s really easy to use and supports oAuth.

1 Like

Hey, also forgot- the glitch TOS REQUIRES contains what you must do with user data collected on a glitch site.

2 Likes

Can you link to that section? I auctally never saw it

1 Like

hang on let me find it…

3 Likes

ah here we are- section F privacy:

If you collect any Personal Information from a User, you agree that you will only use the Personal Information you gather for the purpose for which the User has authorized it. You agree that you will reasonably secure any Personal Information you have gathered from the Services, and you will respond promptly to complaints, removal requests, and ‘do not contact’ requests from us or Users.

2 Likes

Also if you really want good legal advice, you should probably ask in r/legaladvice as they have better legal advice then us

5 Likes