How to create a GDPR-compliant password policy

How to create a GDPR-compliant password policy

The General Data Protection Regulation (GDPR) came into force in May 2018 in the European Union (EU). However, the rules apply to any organization doing business with EU citizens, even if they don’t maintain any local presence.

Like many data-protection regulations, GDPR is vague when it comes to the exact details of how to implement a compliant security policy. For example, there’s no mention of passwords, but it does demand a high level of protection over personally identifiable data. The procedures for accessing this data must take every reasonable measure to ensure compliance, as ignorance is not a valid excuse for failing to protect customer data.

Define a strong password

Your policy should specify some basic rules as to what constitutes an acceptable password, namely passwords that are impossible to hack with a brute force attack. A strong password should be difficult for a computer to guess by trying every possible combination of characters. The longer the password and the larger the character set, the longer it would take to crack.

Many accounts require a minimum of eight characters, including at least one number and one special character. However, it’s also important that the password is memorable, so users aren’t tempted to write them down.

Prohibit personal information

One of the biggest challenges concerning passwords is finding the right compromise between what’s memorable and what’s secure. Since forgetting passwords is a major inconvenience, many users write them down, which is an extraordinarily bad idea. Others use personal information, such as birthdays, or names of family members or pets.

However, cybercriminals can often guess such passwords by trawling through publicly available information on social networks. Although it’s difficult to enforce, train your employees on the dangers of using personal information in their passwords, particularly that which is public knowledge.

Implement single sign-on

Many people have dozens of online accounts, and it’s a good idea to use different passwords for every one of them. However, that also makes it much easier to forget login credentials and develop poor security habits as a result.

In the workplace especially, it makes sense to implement a single sign-on feature that provides employees with immediate access to every system they need to do their jobs. Administrators can further manage access rights to ensure they follow the principle of least privilege. Single sign-on shouldn’t mean providing access to all the data in your company’s care.

Don’t enforce regular resets

Industry experts have long recommended that users regularly reset their passwords every three months. However, more recent advice tends towards the contrary, since people often end up following predictable patterns like incrementing numbers. There’s also a higher chance of users forgetting the new password or, worse still, feeling the need to write it down.

The US Federal Trade Commission, for example, now recommends that employees shouldn’t be forced to change their passwords on a regular basis. Instead, this should only be necessary if the service has reported a potential data breach.

Stop relying on passwords

Passwords have long been central to cybersecurity, and that’s not about to change anytime soon. However, they’re especially vulnerable now that most cybercriminals attempt to dupe their victims into surrendering their login credentials, rather than exploit technology itself. Passwords only provide one layer of protection, which is not enough given the rise of cloud services and mobile technology.

As attack surfaces continue to expand, multifactor authentication (MFA) has never been more important. With MFA, users have to verify their identities when logging in on an unrecognized device through an unknown network. Verification methods include mobile authentication apps, fingerprints, or facial recognition among others.

Safebit Solutions offers comprehensive technology solutions that are secure by design. Get in touch today to get the IT support you deserve.