People often use personal information to create them, like first name / date of birth, and people often reuse passwords across several sites, so I guess passwords are considered personal data since they could identify its owner.
If a website doesn't follow best practices regarding password hashing, it could make the whole hashing process basically useless, so I guess password hashes are also considered personal data.
With GDPR, can I request a copy of my password hash?
First of all, a password is not personal data.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
From GDPR Article 4 (https://gdpr-info.eu)
As for password hashes, what do you mean by requesting a copy of yours? You can produce it if you knew the hashing algorithm of the website.
By the way, websites should be using good hashing algorithms, such as bcrypt or scrypt, not MD5 or SHA1.
The way I see it, any information that can be associated with an identified or identifiable person is personal information. So password hashes are personal information because they are definitely stored in the database in a way that is clearly associated to your email or other data that can identify you. However, I think there are two things to consider:
For the above reasons I think the GDPR principle of "security of personal data" (section 2) is definitely more important than your right to see the hash for no reason.
