Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).
Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:
- The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
- The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
- The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
- The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.
The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.
Although the GDPR does not include any specific provisions in relation to passwords, they are a commonly used means of securing access to systems that process personal data. The guidance focuses on storage of passwords, how users should submit passwords, password requirements, expirations and resets, and defences against attacks.
The main points from the ICO’s guidance include:
- Passwords should not be stored in plaintext. A suitable hashing algorithm or another suitable mechanism should be used.
- Passwords should not be hashed using hashing algorithms such as MD5 and SHA1 as these are unsuitable for password protection due to their known security weaknesses. Hashing should be carried out server-side.
- Users should enter their passwords on login pages which are protected with HTTPS, or equivalent protection, and hashing should be carried out server-side.
- Unless necessary, the only restrictions that should be placed on passwords are (i) a minimum password length and (ii) blacklisting common, weak passwords. Special characters should be allowed, but not mandated.
- Limitations should be imposed on login attempts. The nature of the limitations should be based on observed behaviour and the circumstances of your organization.
The guidance also highlights a number of practices which are mistakenly thought to increase security. Instead, the ICO recommends the following:
- Users should not be prevented from pasting their passwords into the password field. Instead of increasing security, this stops users being able to use password managers effectively.
- Systems should not impose unnecessary requirements on passwords as this encourages users to repeat passwords across accounts, create weak passwords, or forget their passwords, which all place unnecessary burden on the process for resetting passwords.
- Passwords should only be reset if there are pressing reasons to do so, such as a personal data breach. Regular expiry encourages users to create a series of weak passwords.
The ICO’s guidance is not binding, but we recommend organisations adhere to the guidance when implementing encryption or password protections, especially given the possibility of regulatory action. The way in which the guidance should be followed will depend on the nature of the personal data processing and the circumstances of your organisation.