In November 2021, France’s Supervisory AuthorityAn authority established by its member state to supervise the compliance of data protection regulation., the Commission national de l’informatique et des libertes (CNIL), published its draft recommendation on password management, which was open to public consultation until the 10th of December 2021. Passwords still remain the most popular account authentication method, so having an excellent password policy and password management system in place is critical.
According to a study by TraceSecurity in 2018,1 81% of company data breaches were caused by poor passwords, while the CNIL states that 60% of breach notifications in 2021 in France were related to hacking, most of which could have been avoided with better password management practices. Considering that ‘123456’; ‘qwerty’; and, yes, ‘password’ are all still some of the most common passwords used by individuals, this is suddenly not so surprising. Below, we take a look at the key risks poor password management presents, and how organisations can tackle this issue.
Risks associated with poor password management
Poor password management can put both the individual and the organisation at risk. Depending upon the individual’s level of access to the organisation’s systems and whether other safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... like Multi-Factor Authentication (MFA) are in place, a compromised password could be anything from just annoying, to absolutely catastrophic for a business. Risks can be seen at every stage of the password management cycle.
General recommendations
Article 32 of both the UK and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security consistent with the specific risks that the processing being undertaken creates. Essentially, organisations must take a risk-based approach when determining what level of security they feel is necessary to protect the personal dataInformation which relates to an identified or identifiable natural person. they hold. There are myriad measures that organisations can take to protect the personal data that is in their care, some of which come with an eye-watering price tag. Password management, on the other hand, is a relatively inexpensive and simple method that can vastly reduce your likelihood of a data breach.
As such, the CNIL recommends that all organisations guarantee a minimum level of password security by stipulating minimum length and complexity requirements. It has been recommended that this should be equivalent to 80 bits of entropy without any additional measures.
Password entropy
Password entropy is a measurement of how unpredictable, and therefore un-guessable a password is. In order to create a password with a high level of entropy, individuals should try to avoid using “easy-to-remember” passwords. Those of you who use ‘abc123’, ‘111111’, and ‘welcome’ – we are talking to you.
This also goes for the “classic” derivations (for example, for the word kangaroo, tested combinations could be k4ng4roo, kangaroo1, or KaNgArOo). When individuals are free to pick passwords that are not strictly random, it is necessary to define a password management policy that prioritises password length over complexity; this will help with password entropy. Organisations may insist that individuals choose a series of words instead, and these words should be unrelated to each other (like BeachCatRunning).
The level of password entropy you as an organisation require your employees’ or users’ passwords to have will depend upon what other mechanisms you have in place to prevent unauthorised access:
In other words, the less you rely solely on passwords as your method of authentication, the less strict you need to be with the level of complexity you require from them.
Storage and renewal
Regarding storage methods, passwords should never be stored in plain text in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorised persons might discover them. Similarly, they must not be written down in readily-decipherable form and left in a place where they may be accessed by other people. This includes notebooks in desk drawers and plain text files on computers. Instead, passwords should be stored in a hashed format with added ‘salt’ (added data) to ensure it is unreadable if it is compromised. The UK’s National Cyber Security Centre (NCSC) recommends using an online password manager tool such as LastPass to ensure passwords are kept securely.
In terms of changing or renewing passwords, the NCSC has updated its own guidance in the last couple of years to steer away from enforcing regular changes of individuals’ passwords. Whilst the idea was that it would make it harder for hackers to guess passwords, in reality, it just made it more difficult for users to remember them, leading to individuals choosing more simple passwords and only making small edits to the original password upon each renewal.
However, when passwords do need changing, either because they have been compromised or forgotten, it is recommended that organisations should give data subjects the means to change their passwords independently.
Breaches
If, despite your best efforts, a data breach impacting a password or some data linked to its renewal does occur, it is recommended that the organisation notify the individuals without delay, force them to change their passwords when they next log on and recommend them to change their passwords on any other services for which the same password is used.
Password management
There are two strands to effectively managing the use of passwords in your organisation. First, are the technical measures you can take to enforce the level of complexity you require. Platforms such as Microsoft, whilst setting a default level of password complexity, allow you to customize the required level of complexity passwords must meet in order to be accepted by the platform. This forces individuals to create passwords that fulfil whatever criteria you set e.g. over 8 characters, with numbers, letters and symbols. In addition, you can set other parameters such as forcing users to change default passwords upon first log-in and locking individuals out after a certain number of incorrect password attempts, as well as making the use of MFA mandatory for at least those individuals with higher access rights.
Secondly, are the organisational measures you can put in place to ensure best practice not just in choosing a password, but also around how it is stored and shared etc. It is recommended that organisations create a password policy that covers things such as:
Individuals should be made aware of the risks that relate to poor password management, compromised passwords and behaviour that should be adopted in such event.
Taken together, the technical and organisational measures discussed above can help to create an effective password management system. Having such a system in place, although fairly simple to implement, will make your organisation far less vulnerable to hacking and brute force attacks – reason enough, we believe, for why ‘password’ should never be your password.
If you would like support with creating a password management policy, or any other data protection query, please complete the form below to find out how we can help.
1TraceSecurity, “81% of company data breaches due to poor passwords” (14 August 2018).
Fill in your details below and we’ll get back to you as soon as possible