garretthyder
commented
4 years ago I'll drop this into #core-privacy next week for discussion.
My inclination here is passwords themselves aren't PII (Personally-Identifiable-Information) but in combination with a username or email can be used to access personal data either on the site or across other networks users have re-used their credentials for. If a token can be stored instead of a password then this mitigates a hack/leak from then re-using credentials to test other external services to gain further access to their personal data. *I know several people who use the same email/user/pass combo for every site they signup for.
Specific to GDPR & passwords the ICO website has a great guide/overview; https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/
For further reference here's what GDPR specifically includes in online identifiers which passwords aren't part of; https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/
If passwords or other data is stored and 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damanage, using appropriate technical or organizational measures.' (Article 5(1)(f) of the GDPR) then as long as it's being disclosed (maybe through the Privacy Policy Guide) that should comply with the legislation.
*If any discussion ensues in a future privacy team meeting I'll post the archive link here.
As a follow up to
https://wordpress.slack.com/archives/C02RQC26G/p1585246415044800