GDPR came into force on May 25, 2018, thrusting the European Union (EU) into a new era of data and privacy rights. The purpose of the regulation is to provide a set of standardized data protection laws across the EU to increase privacy and extend the data rights of EU citizens. While this sounds like a noble objective, it has not been without its issues. The transition to GDPR compliance hasn’t been smooth for most companies.

The General Data Protection Regulation (GDPR) has been in full effect and many organizations still find themselves falling short of compliance. They are confused about how the regulation applies to password policy.

The main criticism of GDPR is that the wording is too vague, leaving companies to guess what is expected of them. In June 2018, media analyst Thomas Baekdal was quoted as saying “Pretty much everyone is breaking the law right now. ” This comment was in response to efforts companies had made in the months following the regulation coming into force.

You may recall that as soon as GDPR requirements came into force, your email inbox became inundated with emails from companies asking if you still wanted to subscribe to their newsletter. You may have had no recollection of subscribing to in the first place. Or that every website you visited asked you to tick several boxes before you could see the page. Or if you were in the EU, perhaps you could no longer see one of your favorite American websites that had not met GDPR compliance yet, so they choose to restrict access for European visitors until they could become compliant.

Even though companies knew they had to seek user consent for how their data was handled, how they went about this varied considerably. This is also true for GDPR password policies – there isn’t one standard followed by all companies because the wording is too vague.

What Does GDPR Requirements Say About Passwords?

GDPR says that personal data must be processed “in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Of course, what is “appropriate” is subjective, so companies must themselves decide what level of security protection is necessary. The GDPR document does go on to say that the “state of the art”, and “costs of implementation” should also be considered. However, the regulation does not set any specific requirements about passwords such as password length, complexity, or how often they should be renewed. With a lack of direction from the legislation, companies have been forced to decide what is appropriate to protect user data and protect themselves from a potentially hefty fine.

With the fines for non-compliance being so much higher than was allowed in previous data protection regulations, it’s in a company’s best interest to go a little overboard on cybersecurity measures, rather than implementing too little.

What Should Be Considered for a GDPR Password Policy?

A GDPR-compliant password policy must strive to secure company systems so personal data can be adequately protected. This means companies should consider security best practices when choosing what policies need to be implemented. Let us take a look at the information security best practices that will ensure GDPR compliance.

The purpose of a password is to restrict unauthorized individuals from accessing resources or data. GDPR is all about protecting this data. Your GDPR password policy should reflect the same. This means that having a strong password policy is essential if you want to be compliant with the regulation. The weaker the password, the more vulnerable the password is to brute force attacks, and the more efficiently your systems can be compromised.

Some traditional rules to avoid weak passwords are as follows:

• Passwords should be a minimum of 8 characters in length but preferably longer. Longer passwords are much harder to crack using a brute force attack than a short password. Cybersecurity experts often argue that length is actually more important than complexity when it comes to passwords. They assert that the longer it is, the harder it is to crack. 8 characters was the standard guideline in account creation for a number of years, but many experts agree that the longer the password, the better. The new advice is to have them be at least 12 characters. Some security experts now say it should be 16 or 20 characters.
• New passwords must be different from previously used passwords. Unfortunately, data breaches are surprisingly common, and a password you have used previously may be in a database on the dark web. Reusing passwords makes a hacker’s job far too easy, so it should be avoided at all costs. This also applies to the use of variations of previous passwords where only a small element of the password is changed, such as one number or one letter.
• Avoid dictionary words. A ‘dictionary attack’ is a type of brute force attack where the hacker will run a script that will try various combinations of dictionary words to conduct an account takeover. For this reason, users should avoid dictionary words or combining only two dictionary words.
• The password should not contain personal information. Again, this one is about not making it easy for the hacker. For example, say your favorite football team is the Denver Broncos. You wear your Broncos shirt, have a mug with the logo on it, and comment about them regularly and publicly on social media. It wouldn’t be wise to use “DenverBroncos1” as your password. Using any information that is known about you is a bad idea, so this also applies to the names of your children or pets, or where you grew up.
• A strong password should contain at least one character from each of the four-character categories. These categories are numbers, uppercase letters, lowercase letters, and special characters such as punctuation. This adds complexity to the password, making it harder for a hacker to crack with a brute force attack.
• Use a pass-phrase instead of a password.  The security industry is encouraging pass-phrases instead of just passwords.  Passphrases are harder to crack and difficult to guess if created correctly.  Should be at least 4 unrelated words such as PurpleRainbowTigerSlowly. 

Many of these traditional guidelines for passwords were established in the early 2000s and are being adapted as cybercriminals become sophisticated in their attack methods. 

Password Policy for Reset and Storage

Password-related policies are also changing as new lower user-friction technology emerges. 

In addition to preventing weak passwords, many companies also have set rules for how often passwords need to be changed.  NIST and Microsoft are now recommending against the forced periodic password reset for various reasons including the fact that the forced periodic password reset produces. Instead, NIST recommends using compromised password screening as it vastly reduces the effectiveness of breached or leaked passwords without impeding the user experience.

Additionally, in April of this year, it was revealed that social media giant Facebook had stored millions of users’ passwords in plaintext. Storing passwords in plaintext is huge data security faux-pas, and the IT community was rightly shocked at this revelation, although many organizations have recently admitted the same practice of storing user credentials in plaintext. A strong and compliant GDPR password policy should ensure that all passwords are encrypted and hashed in B-Crypt or another strong algorithm. 

Furthermore, user, customer, or employee passwords should not be visible to the employees of the company, so they should never be stored in plaintext. It should be possible for someone on your company’s IT Helpdesk to reset a password without being able to see the previous password of the user. If employees can see the passwords of other employees, it could even make accounts outside the company vulnerable if that user reuses passwords or exhibits certain patterns in their password creation.

Other Recommendations for GDPR:

• Any remote users on your company’s network should be using a secure Wi-Fi network and a VPN to make sure any transmitting data is protected.
• Multi-factor authentication should be used for remote users connecting to the company network.
• There must be a policy in place to ensure the swift removal of ex-employees or employees who no longer need access to specific systems. An important component of GDPR is that people should only have access to personal data if it’s appropriate for their role, and that data shouldn’t be held unnecessarily.
• Check your level of security by conducting regular security testing. Ensure that authorized access is working as intended and that any vulnerabilities in the system have been identified so that the security team can take action. 
• Protect systems with anti-virus software, anti-malware, and anti-phishing. Verify that firewalls are enabled.
• Implement comprehensive security training for all employees. Employees of all levels, including senior management, need to undertake cybersecurity training. This training should focus on spreading awareness of best practices and highlighting the risks of failing to comply with the guidelines. Cybersecurity training should also be repeated regularly so employees can build up a working knowledge and are less likely to forget what they have learned. 
• Screen employee and customer accounts proactively for compromised credentials, weak passwords, or passwords that are commonly found in cracking dictionaries. It is another layer of data security for all your stakeholders that does not create any additional friction. 

Read more on GDPR and other regulations:

• How to Strengthen Password Policies to Stay Compliant with GDPR
• Are PSD2 SCA Options Too Narrow in Scope?