In Europe GDPR covers that, many big websites started hashing after it
Edit: could somebody explain the downvotes? The comments seem to agree with me
Obviously GDPR is not a law about plain text passwords, but as the comments say it forces "the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication." etc.
> Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
> Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
GDPR does not have any wording that refers to any technical specifics (e.g. password storage) whatsoever.
The most relevant passage is "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" from article 32; and it could be argued that having passwords in plaintext most likely does not constitute "appropriate technical measures" and doing so opens you up to fines based on GDPR if an incident occurs, but it's not really "a law against clear text passwords" but rather a law that simply says that you are responsible for how you [mis]implement your security and the consequences of that.
GDPR doesn't state explicitly "passwords must be hashed", but Knuddels.de was fined for unhashed passwords. The fine was specifically for the lack of hashing and not the breach that uncovered it.
Yes of course GDPR is not a law about plain text passwords, but (as the sibling comment points out), pretty much everybody considers the use of appropriate hashing as a requirement to to ensure a level of security appropriate to the risk.
In Europe GDPR covers that, many big websites started hashing after it
Edit: could somebody explain the downvotes? The comments seem to agree with me
Obviously GDPR is not a law about plain text passwords, but as the comments say it forces "the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication." etc.