Password Compliance

When security companies provide advice about password compliance, it is often in terms of complying with regulatory standards that exist in specific industries (i.e., HIPAA, SOX, etc.) or in specific locations (i.e., GDPR, CCPA, etc.).

However, password compliance is not just for organizations operating in regulated environments. Every organization needs to protect accounts against unauthorized access and data against theft and/or loss regardless of the industry in which it operates or the location of its data subjects.

It is generally accepted the best way to protect accounts and data is by developing and enforcing a strong password policy; but with so many password compliance models to choose from, which is the best to use when an organization is not tied to regulatory standards?

To help organizations develop password policies – and to remind organizations in regulated environments of their password compliance obligations – we have compiled a list of the most often used regulatory standards with links to where you can find further information about each.

Industry-Specific Password Regulatory Compliance

The first thing to be aware of with regards to password regulatory compliance is that regulatory standards are usually the minimum standards organizations are required to adopt. It is recommended to adopt standards beyond the minimum to better protect accounts and data.

It is also important to note password compliance regulations are often open to interpretation. This point is discussed in our article about password regulatory compliance along with examples of how industry-specific data protection laws may not be sufficient for protecting sensitive data.

PCI DSS Password Requirements

One of the industry-specific data protection laws criticized in the article is the Payment Card Industry Data Security Standard (PCI DSS). The cause of the criticism is extremely weak PCI DSS password requirements which fail to adequately protect customer data against brute force attacks.

It is also the case that PCI DSS requires passwords to be changed every ninety days. This requirement has been shown not to mitigate account hacks due to users often changing a single character (i.e., passwordfor2020 to passwordfor2021) which would be simple for an algorithm to test or for a hacker with knowledge of the previous password to guess.

HIPAA Password Requirements

The language of Health Insurance Portability and Accountability Act (HIPAA) is deliberately technology-neutral because the Act covers many different types of organizations in the healthcare and health insurance industries, and it would be hard to find a one-size-fits-all solution.

Nonetheless, the Act is clear about the HIPAA password requirements inasmuch as Covered Entities are required to “assign a unique name and/or number for identifying and tracking user identity to verify that a person or entity seeking access to ePHI is the one claimed” and implement “procedures for creating, changing, and safeguarding passwords.”

SOX Password Requirements

The Sarbanes-Oxley Act (SOX) isn´t mentioned in the password compliance article because there are no industry-specific SOX password requirements. The reason for mentioning SOX here is that the SEC has now twice issued guidance on disclosure obligations relating to cybersecurity and cyberattacks.

In the context of password compliance and data breaches, the SEC reminds companies of the requirement to disclose “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision”. This requirement not only applying to SOX filings, but also to Regulation S-K filings, Regulation FD filings, etc.

Location-Specific Password Regulatory Compliance

Although there are federal data protection laws, they generally apply to specific government agencies (i.e., Driver´s Privacy Protection Act), specific types of data (i.e., Family Education Rights and Privacy Act), or specific circumstances (i.e., Children´s Online Privacy Protection Act).

Following the passage of the EU´s General Data Protection Regulation (GDRP), several states have introduced legislation relating to data protection for data subjects who ordinarily reside in the state – even if the organization collecting, processing, or maintaining the data is located outside the state, and the data subject is outside the state at the time data is collected.

GDPR Password Requirements

GDPR represented a significant step for data protection by being the first international legislation to require the data of EU data subjects to be protected regardless of where the organization is located, or where the EU data subject is at the time of data collection.

While the legislation doesn´t specifically mention GDPR password requirements, the regulation requires organizations to collect, process, or maintain personal data “in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data” – implying that protections such as passwords are necessary.

CCPA Password Requirements

Of the states that have introduced legislation relating to data subjects, California´s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) most closely align with the requirements of GDPR. In addition, CCPA introduced the concept of “probabilistic identifiers” which makes it more likely an organization could be in violation of the Act if a data breach occurs.

Like GDPR, there are no specific CCPA password requirements. However, it has been suggested by security experts that, in order to demonstrate compliance with CCPA, organizations should adopt the principles of the National Institute of Standards and Technology (NIST) Cybersecurity Framework which include the NIST password recommendations.

Developing and Enforcing a Password Compliance Policy

Taking guidance from the industry-specific and location-specific password standards, the development of a password compliance policy should be completed after conducting a risk assessment to identify threats such as weak, re-used, and shared passwords.

The policy should take into account password best practices as prescribed by NIST and others, and include all systems in which data are collected, processed, or maintained. It is also important the policy is enforced across all devices, operating systems, and platforms.

However, it is impossible to manually enforce a password compliance policy in a large organization in which tens of thousands of passwords and their use may need to be monitored. For this reason, security companies recommend organizations implement password managers with capabilities such as end-to-end encryption, detailed event logs, and password health checks.

There are several suitable password managers available, and we have compiled a comparison of the leading candidates which focuses on ease of use. This is because, if a password manager is hard to install and configure – or too complicated for end users to understand – people will take shortcuts to avoid using the technology. Shortcuts that could undermine your password compliance efforts.