The EU General Data Protection Regulation includes, at article 5(1)(f) an obligation that data is protected “using appropriate technical or organisational measures”. Password protection is one aspect of such measures – yet many employers have not kept up with best practice. ICO guidance on this obligation under the current Data Protection Act requires that you “regularly review your security arrangements as technology advances”, which means organisations must take note of changes in official and industry guidance.
Many organisations require staff to frequently change passwords, and mandate complex requirements regarding the use of letters, numerals and special characters. Such policies are widely recognised to be counterproductive.
The resulting passwords are often susceptible to brute-force attacks in which a hacker attempts to access a system via software which systematically checks possible passphrases until the correct one is found. Brute-force attack dictionaries prioritise frequently used words (across multiple languages) and common character substitutions – for example 1, 3 and 4 are often used instead of the letters I, E and A.
In addition, a typical employee will have tens of passwords to remember, covering a multitude of business and personal accounts. Add in a requirement to change certain passwords every 30 days, and it is hardly surprising that people write them down and leave them near the computer.
So what is the solution? The National Cyber Security Centre (NCSC) suggests a simplification of policies, preferring the use of passphrases, allowing re-use of passwords across multiple accounts in certain circumstances, and only asking users to change passwords if those passwords are suspected to be compromised. The NCSC also recommends a focus on monitoring and technical protections: monitoring logins to detect unusual use; notifying users with details of attempted logins (with an obligation on the user to advise if any attempts were by third parties); and using technical means to defend against automated guessing attacks (e.g. account lockouts, blacklisting of common passwords after a number of attempts). Applying these recommendations should provide an organisation with better, cost-effective protection, both against information systems breaches and regulator disapproval.