GDPR came into force on May 25, 2018, thrusting the European Union (EU) into a new era of data and privacy rights. The purpose of the regulation is to provide a set of standardized data protection laws across the EU to increase privacy and extend the data rights of EU citizens. While this sounds like a noble objective, it has not been without its issues. The transition to GDPR compliance hasn’t been smooth for most companies.
The General Data Protection Regulation (GDPR) has been in full effect and many organizations still find themselves falling short of compliance. They are confused about how the regulation applies to password policy.
The main criticism of GDPR is that the wording is too vague, leaving companies to guess what is expected of them. In June 2018, media analyst Thomas Baekdal was quoted as saying “Pretty much everyone is breaking the law right now. ” This comment was in response to efforts companies had made in the months following the regulation coming into force.
You may recall that as soon as GDPR requirements came into force, your email inbox became inundated with emails from companies asking if you still wanted to subscribe to their newsletter. You may have had no recollection of subscribing to in the first place. Or that every website you visited asked you to tick several boxes before you could see the page. Or if you were in the EU, perhaps you could no longer see one of your favorite American websites that had not met GDPR compliance yet, so they choose to restrict access for European visitors until they could become compliant.
Even though companies knew they had to seek user consent for how their data was handled, how they went about this varied considerably. This is also true for GDPR password policies – there isn’t one standard followed by all companies because the wording is too vague.
GDPR says that personal data must be processed “in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Of course, what is “appropriate” is subjective, so companies must themselves decide what level of security protection is necessary. The GDPR document does go on to say that the “state of the art”, and “costs of implementation” should also be considered. However, the regulation does not set any specific requirements about passwords such as password length, complexity, or how often they should be renewed. With a lack of direction from the legislation, companies have been forced to decide what is appropriate to protect user data and protect themselves from a potentially hefty fine.
With the fines for non-compliance being so much higher than was allowed in previous data protection regulations, it’s in a company’s best interest to go a little overboard on cybersecurity measures, rather than implementing too little.
A GDPR compliant password policy must strive to secure company systems so personal data can be adequately protected. This means companies should consider security best practices when choosing what policies need to be implemented. Let us take a look at the information security best practices that will ensure GDPR compliance.
The purpose of a password is to restrict unauthorized individuals from accessing resources or data. GDPR is all about protecting this data. Your GDPR password policy should reflect the same. This means that having a strong password policy is essential if you want to be compliant with the regulation. The weaker the password, the more vulnerable the password is to brute force attacks, and the more efficiently your systems can be compromised.
Some traditional rules to avoid weak passwords are as follows:
Many of these traditional guidelines for passwords were established in the early 2000s and are being adapted as cybercriminals become sophisticated in their attack methods.
In addition to preventing weak passwords, many companies also have set rules for how often passwords need to be changed. NIST and Microsoft are now recommending against the forced periodic password reset for various reasons including the fact that the forced periodic password reset produces. Instead, NIST recommends using compromised password screening as it vastly reduces the effectiveness of breached or leaked passwords without impeding the user experience.
Additionally, in April of this year, it was revealed that social media giant Facebook had stored millions of users’ passwords in plaintext. Storing passwords in plaintext is huge data security faux-pas, and the IT community was rightly shocked at this revelation, although many organizations have recently admitted the same practice of storing user credentials in plaintext. A strong and compliant GDPR password policy should ensure that all passwords are encrypted and hashed in B-Crypt or another strong algorithm.
Furthermore, user, customer, or employee passwords should not be visible to the employees of the company, so they should never be stored in plaintext. It should be possible for someone on your company’s IT Helpdesk to reset a password without being able to see the previous password of the user. If employees can see the passwords of other employees, it could even make accounts outside the company vulnerable if that user reuses passwords or exhibits certain patterns in their password creation.
Read more on GDPR and other regulations: