The Minimum Standards for Password Regulatory Compliance

Few federal or state laws stipulate minimum standards for password regulatory compliance. However, a growing number of consumer privacy laws require organizations to “implement and maintain reasonable security procedures” in order to protect data from unauthorized access, disclosure, or theft – which implies the use and safe-keeping of passwords is a necessity.

In 2018, the passage of the California Consumer Privacy Act (CCPA) started the ball rolling for a host of legislation intended to enhance consumer privacy rights. Nevada and Virginia quickly enacted similar legislation, while bills based on the Californian model – and subsequent amendments in the California Privacy Rights Act (CPRA) – were introduced in fifteen further states and at federal level.

While the majority of legislation focuses on consumers´ rights to know what data is being collected, how it is being used, and if it is being shared or sold, there are also provisions for data protection. These again typically follow the Californian model requiring organizations to “implement and maintain reasonable security procedures” without stipulating what constitutes “reasonable”.

At this point it is important to note CCPA and CPRA apply to organizations that collect, process, store, or sell the personal data of any Californian resident, regardless of where the organization is located or where the California resident is located at the time data is collected. A similar application applies in Nevada and Virginia, and in many of the other state bills under consideration.

Consequently, in order to comply with consumer privacy laws, it is advisable for all organizations that collect, process, store, or share personal data to determine what standards are considered reasonable. One of the best places to start looking for an acceptable definition of reasonable is industry-specific data protection laws designed to prevent unauthorized access, disclosure, or theft.

Industry-Specific Data Protection Laws

Most industries have data protection laws – but the only industry with minimum standards for password regulatory compliance is the payment card industry. The Payment Card Industry Data Security Standard (PCI DSS) was released in 2004; and although individual card issuers had their own standards before this date, compliance with the Standard has since become a condition of accepting credit and debit card payments. The Standard is designed to protect cardholder data and states:

  • Passwords must be a minimum of seven characters in length.
  • They must consist of both numbers and letters.
  • Users are required to change passwords every 90 days.
  • New passwords must be different from the previous four passwords.
  • Passwords must be unique to each user and changed after first use.
  • Password lockouts must remain active for 30 minutes.
  • Vendor-supplied default passwords must be changed upon installation.
  • Passwords must be encrypted while in transit and at rest.

Although the PCI DSS has been updated since 2004, the minimum standards for password regulatory compliance are not sufficient to prevent one of the most common causes of data breaches – brute force attacks against weak passwords. Simple seven character passwords that use dictionary words with any combination of numbers can be cracked within seconds. For example, we tested “Pass001” on Bitwarden´s password strength testing tool and found it could be cracked in 25 seconds.

Consequently, it is advisable to also look at industry-specific data protection laws which aim to protect more valuable data than cardholder data. In the case of the healthcare industry, the law governing data protection is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires organizations that collect, process, store, or share personal data to implement “procedures for creating, changing, and safeguarding passwords” without being any more specific.

Elsewhere in the Act, organizations are required to conduct risk assessments, analyze vulnerabilities, and implement measures to prevent the unauthorized access, disclosure, or theft of personal data. The failure to go through these processes can result in regulatory fines even if no data breaches result from the lack of compliance, and several other laws are now taking a lack of compliance more seriously – CCPA for example allowing the Californian Attorney General to fine organizations that fail to “implement and maintain reasonable security procedures” even if no harm occurs.

Password and Password Management Best Practices

Even if your organization is not subject to state or industry-specific password regulatory compliance, it is likely at some stage there will be a federal or state law that requires you to review how data is protected and implement security best practices where necessary. Because it is better to protect data sooner rather than later, it is a good idea to implement these password and password management best practices to protect any data the organization collects, processes, stores, or shares.

Always use strong and unique passwords

As seen above, it only takes a few seconds to crack weak passwords, and brute force algorithms are getting smarter all the time. Develop policies requiring passwords to have a minimum of twelve characters, and enforce the policies using a password manager. Some password managers have a capability that can identify re-used passwords and those that may have been compromised in a phishing attack. Take advantage of these whenever possible.

Enforce MFA and biometric controls on mobile devices

Multi Factor Authentication (MFA) doubles the level of protection you have on business accounts and is one of the best ways to mitigate the risk from phishing. However, MFA is not so good at preventing data theft from lost or stolen mobile devices because the One Time Password (OTP) is usually sent to the mobile device in the form of an SMS. Therefore, it is a password management best practice to enforce fingerprint and facial ID controls on mobile devices.

Use a password manager with cross platform synchronization

Password managers with cross-platform synchronization enforces password best practices regardless of the device being used to access an organization´s account. Already an important capability due to BYOD policies, the importance of cross-platform synchronization increased during the COVID-19 crisis due to so many employees working from home. If your organization plans to continue with remote working, cross-platform synchronization is a must.

When employees leave, retire their passwords

Finally, when employees leave, the risk exists they may try to log back into an organization´s account to poach clients, steal data, or deploy malware. Therefore, it is not only a best practice to retire their passwords as soon as they leave, but also to reduce the number of accounts they have access to prior to their departure and the permissions they have within authorized accounts in order to mitigate the risk of data being stolen by a disgruntled employee while they work out their notice.