What does GDPR say?
There are no specific requirements under GDPR regarding passwords in terms of minimum length, capital letters, numbers, maximum periods of validity or required change frequency. However, you do have to demonstrate that you have data access procedures in place. We advise that all our clients have a password policy as part of their approach to managing safe and secure access to data.
GDPR does not preclude the use of usernames and static password logins. But, one of the biggest risks with passwords is that if they are too difficult to remember, or change too frequently, people write them down or require resets because they’ve forgotten them. It’s important to bear this in mind when you create your Password Policy.
We may have passed the cut-off date for having plans and processes in place, but compliance is an ongoing journey. Furthermore, some areas, like password policies, are open to interpretation. The true work is just beginning in ensuring you are compliant with GDPR.
CREATING YOUR PASSWORD POLICY
We help our customers to create and implement Password Policies. If you don’t currently have this support, it’s important to get the right advice to put a policy in place. The most important thing to do is ensure:
- You have a Password Policy in place that details password requirements and validity periods
- Your employees know their obligations regarding the safe storage of their passwords via encryption, for example
- You document your password creation and reset procedures. It’s vital that password resets can only be authorised by specific personnel. Upon login, a user should be prompted to change their password immediately from the one provided temporarily.
While two-factor authentication is becoming increasingly advised and talked about as a way of safely resetting passwords, it is not mandatory. However, having a password policy in place is vital to meet GDPR requirements for the ongoing safe and secure storage of, and access to, personal data.
Creating a password policy should be a joint effort between IT, HR and Compliance within your business. This will ensure the legal and regulatory requirements of your business are met. Password Policies can be:
- A part of your Employee Handbook
- An addendum to your IT Usage Policy
- A part of your Employment Contract
Training is a core principle in GDPR. It’s essential that however you implement your Password Policy, that you ensure it is read, understood and adhered to by your employees, and that you have the right training and processes in place to make that happen.
Password Dos and Don’ts
The following checklist is a great starting point for drafting your Password Policy.
- Passwords should be changed every 90 days
- The 10 previous passwords used should not be available to reuse
- The system should automatically lock an account after 10 incorrect attempts, and unlock after 10 minutes
- Passwords should be a minimum of 8 characters, including 3 out of 4 of the following:
- Upper case o Lower case
- Numeric value
A good password is:
- Private: it is used and known by one person only
- Secret: it does not appear in clear text in any file or program, or on a piece of paper pinned to the monitor
- Easily Remembered: so there is no need to write it down
- Words you can find in the dictionary of any major language. It should not be guessable by any program in a reasonable time, for instance less than one week
- Personal information, such as names and birth dates
- Keyboard patterns, like qwerty or 12345. Particularly avoid sequences of numbers in order
- Common acronyms
- All one type of character – such as all numbers, all upper case letters, all lower case letters, etc.
- Repeating characters, such as mmmm333
- The same password you use for another application