Understanding ICO Password Recommendations

Passwords may be a small part of GDPR requirements, but they also represent the easiest way to gain unauthorized access to personally identifiable data. To help organizations follow GDPR data privacy compliance, the Information Commissioner’s Office (ICO) has updated its guidance to provide password recommendations under GDPR. ICO oversees the rollout of the GDPR and is committed to helping businesses meet GDPR requirements. Unfortunately, many organizations struggle to adopt the new trends in password security.

A Good Password System

According to the ICO guidance, a good password system should make it difficult for attackers to access stored passwords in a useable form and should protect against brute force or guessing attacks. It also needs to achieve this without placing an additional burden on users. Complex password rules are ineffective in defending against various password attacks and can drive users to make bad password decisions.

The ICO recommends the following password policy settings:

  • Password length: minimum length should be ten characters and there should be no maximum
  • Password complexity: don’t mandate the use of special characters
  • Password blacklisting: block the use of common and weak passwords. Screen passwords against a password blacklist of the most commonly used passwords, leaked passwords from breaches and guessable words related to the organization. Update the blacklist service annually and explain to users why their passwords have been rejected
  • Password expiry: get users to create strong passwords and only set password expirations when there are pressing reasons, such as data a breach

Defenses Against Attacks

To prevent brute force attacks, ICO recommends defenses such as the use of CAPTCHA, whitelisting IP addresses and time limits or delays after failed authentications. However, most importantly, ICO advises that organizations limit the number of incorrect login attempts, but it doesn’t specify the threshold because it should be based on observed behaviors of both attackers and users. If you need clearer guidance on this, other authorities on cybersecurity such as the National Cyber Security Centre (NCSC) and the Cyber Essentials scheme suggest locking accounts after ten failed attempts.

There are times when unsuccessful login attempts are from legitimate users, it is important that you provide a password recovery method. When it comes to password recovery, the ICO recommends deploying a secure password reset process. It advises against sending passwords over email or having a service desk staff read out a user’s password over the phone. If password recovery over the phone is required, set a temporary password for the account.

Achieving GDPR Password Compliance

Securing passwords is critical to data security and GDPR compliance. With the help of a full-featured password solution, you can easily implement all of the ICO’s password recommendations. With Specops Password Policy, you can replace complexity by banning weak passwords and allowing passphrases to enforce secure policies without burdening users. Additionally, it includes a password filtering feature that checks against a continuously updated list of compromised, common and predictable passwords.

Another recommended security feature is multi-factor authentication for password resets. When the username and password are compromised or forgotten, an additional identity service or more are required to reset passwords so the account is still guarded. This extra layer of protection is effective in fending off malicious attackers, by making it more costly and time-consuming for attackers to penetrate these accounts.

If you are currently implementing new or enhanced security processes to achieve compliance, improving password security is a quick win for organizations striving to comply with GDPR. Learn more here.

The GDPR is a European Union law that protects the data privacy of its residents, and imposes a wide range of requirements on any organization that collects or processes personal data of individuals in the EU. Under GDPR, organizations are required to process personal data “in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Although GDPR does not have any specifications around passwords, they remain an important safeguard to prevent unauthorized access to sensitive data.

Brought to You by

What’s Hot on Infosecurity Magazine?