GDPR came into existence in May 25, 2018 and the purpose to introduce this was to safeguard data and privacy rights. The law is very effective in increasing data privacy and extends the data rights of EU citizens. In one section of GDPR it is clearly stated that strong measures should be taken to provide security that must also include confidentiality of the personal data to be protected. This is probably the “in a nutshell” version of the GDPR password requirements.
GDPR states that personal data of any individual (EU citizen) must be provided high level of security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
What Does GDPR Say About Passwords?
GDPR does not say anything about the specific requirements about passwords such as password length, complexity, and when it should be changed after certain time period but at the same time it say that the “state of the art”, and “costs of implementation” should be considered. It is the duty of agencies to decide what is suitable to protect user data and protect themselves from a potentially hefty fine.
What Should Be Considered for a GDPR Password Policy?
GDPR strongly focuses on data protection of the citizens and each organization must focus to secure company systems so that personal data information can be strictly protected. It simply means that organizations should use best security practices when choosing what policies need to be implemented.
The reason behind password protection is that unauthorized individuals must not be able to access resources or data of any individuals. Here the thing to consider by the organization is that GDPR mainly focuses on protecting individual’s data and for this reason, they must provide adequate security to protect this data. Organization’s GDPR password policy should reflect the same. This simply means that it very important for organizations to have a strong password policy if they want to be compliant with GDPR. Weak passwords are more vulnerable and they are easy to break which will simply lead to hack and theft of personal data.
Some traditional rules about what constitutes a strong password are as follows:
- Passwords should be a minimum of 8 characters in length but preferably longer
- New passwords must be different from previously used passwords
- Avoid simple words and famous names as passwords
- The password should not contain personal information of individual
- A strong password should contain upper case and lower case letters, numbers and special characters on it
- Use a pass-phrase instead of a password