GDPR Password Policy

The General Data Protection Regulation (GDPR) is an act of legislation that has the objective of improving privacy protections for EU citizens. GDPR applies to every organization that collects, processes, shares, or stores the personal information of data subjects in the European Union, regardless of where the organization is located or where the data subject is located at the time data is collected.

A search of GDPR´s text for the word ‘password’ will not return any results, but that does not mean a GDPR password policy is not required. Passwords are an important safeguard to secure accounts and prevent unauthorized individuals from accessing sensitive data; so, while not explicitly stated in the legislation, if passwords are used, their creation, use, and security need to be covered by a GDPR password policy.

What Should a Password Policy Include?

As there is no direct guidance for what a GDPR password policy should include, organizations should conduct a Data Protection Impact Assessment to determine what measures should be implemented to meet the requirement that data is collected, processed, shared, or stored “in a manner that ensures appropriate security of the personal data”. It is also important that, whatever the GDPR password policy consists of, the policy is enforceable.

Once the assessment is complete, one of the best ways to determine the content of a GDPR password policy is to follow the recommendations of the U.S. National Institute of Standards and Technology (NIST). Although developed for federal agencies, the NIST password recommendations have a four-tier structure, with increasing levels of account protection depending on the sensitivity of data collected, processed, or stored.

Most organizations should only need Level 2 or Level 3 protection to comply with the GDPR data protection requirements, in which case a typical GDPR Password policy should stipulate:

  • Passwords must be unique for each account and either consist of a long, complex password or a passphrase containing three random and unconnected words.
  • Passwords providing access to GDPR-covered data must not be shared between users or re-used to satisfy access monitoring, logging, and auditing requirements.
  • Passwords and passphrases should not be stored in plain text (i.e., Excel spreadsheet, sticky note, etc.); and, if stored electronically, should be encrypted.
  • Sensitive data (as defined by the EU) is subject to specific conditions and should be protected by a secondary mechanism such as multi-factor or biometric authentication.
  • Mechanisms need to exist that prevent the use of weak and re-used passwords and passphrases, and passwords known to have been compromised in a data breach.

NIST recently changed its guidance on periodic password changes. Whereas previously, a change of passwords every 90 days was recommended, NIST now suggests password changes are only necessary when weak, re-used, or compromised passwords are identified, or when users with access to legitimately shared passwords and passphrases leave the organization.

Enforcing a GDPR Password Policy

In most organizations, user passwords are assigned by an IT department when a user first starts working with an organization. However, there may be occasions when the user needs to create an online account that requires login credentials. In these circumstances it is import the GDPR password policy is enforced to mitigate the risk of security issues attributable to unauthorized data access.

The way to enforce a password policy is to implement a password manager that supports enterprise policies. A password manager with these capabilities can prevent users from creating weak passwords or passphrases, prevent their re-use on any other account, and check each password on creation against blacklists of passwords known to have been compromised in previous breaches.

In many cases, password managers with these capabilities will also include a configurable password generator so IT Admins can stipulate the minimum requirements for password creation and store encrypted passwords in a secure vault. Other capabilities to look for include Single Sign-On authentication, checks for inactive multi-factor authentication, and mechanisms that identify when login credentials have been saved for unsecured websites (i.e., those with an http:// prefix).