If you need to store passwords to secure an application, you need to understand that you hold a major responsibility.
First, you don't store passwords as is. Someone (such as a hacker) who manages to access the password repository would easily be able to steal them as they are stored in plain text. Not good!
Under the GDPR, you would be in breach of Art 5.1.f, Art 24 and Art 32. The relevant data protection supervisory authority (DPC, CNIL etc) wouldn't be too impressed. More importantly, you are putting the data of people at risk.
Plain text storage is a NO NO NO.
Password need to be stored encrypted, with irreversible encryption (hash). If the encryption is reversible, one simply needs the key and the passwords can be stolen. Not good either!
You would still be in breach of Art 5.1.f, Art 24 and Art 32 because you still wouln't have had implemented "state of art" protection of data.
Even with one way encryption, the passwords aren't safe! Computers are powerful enough these days to take entire dictionaries as well as passwords from previous data breaches, encrypt them with the same hashing encryption as above and by comparison of the hash strings, retrieve the passwords.
If you let users choose passwords, ensuring the use a short sentence (eg adding spaces) would improve the security as it wouldn't be one dictionary word to compare, but multiple combined. Forcing the use of special characters not found in a dictionary (eg €$%-:) will make things more difficult for word comparison.
This isn't enough though!
Encryption and cooking have an analogy.
For encryption, you don't use real salt, of course! You add some data before and after the password prior to encryption (salting). With the salt, comparing the hash against dictionary words is more complicated.
Ex:
Where do you store the salt?
Not in the same place you store the encrypted passwords. A hacker would hit five gafam with the same stone (expression adjusted from "hitting two birds with one stone" to respect birds and biodiversity and -hopefully- make you smile).
There is more to it, but one needs to start somewhere. So if you need to add security to a piece of software, make sure you are trained properly, seek for advice and get the end piece tested.
Multi factor authentication through an app will add an extra level of security, but that's for another day.
Claude Saulnier
CDPO - CIPP/E
Brand Ambassador
Bizoneo
Post Scriptum (PS):