The Information Commissioner’s Office (ICO) has issued extensive guidance to firms on the subject of IT security, specifically on the topics of passwords and encryption.

The relevant item in the ICO newsletter is headed ‘Passwords and guidance under the GDPR’, although the guidance itself then says that GDPR is not prescriptive as to exactly what firms should do regarding passwords and encryption.

Firms should first consider whether there are any better alternatives to using passwords. Although alternatives such as smart cards and biometric access (e.g. via fingerprinting) exist, passwords remain the most popular way for users to access online services.

Any password system must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.

Firms can consider the cost of implementation, but whatever they decide to implement must ensure a level of security appropriate to the nature of the data being protected and the harm that could be caused by unauthorised access.

Some firms make use of a single sign on (SSO) system, where a user only needs to log in once to access a series of work-based applications. This reduces the number of passwords that a user has to remember, but the data protection watchdog also warns firms to ensure that they are happy with the level of security that is offered by an SSO system.

Login pages should be protected with HTTPS, or some other equivalent level of protection.

The ICO says there are three main factors to consider when designing a password system

  • Length – the system should have a set minimum password length, and the ICO recommends that this should be no less than 10 characters, however a maximum length should not be set unless this is necessary due to the limitations of website code
  • Special keyboard characters – the recommendation here is that the system should allow the use of special characters, such as the hash symbol and those that appear on the number keys, but it should not be mandatory for an individual to use one or more of these in their password
  • Blacklisting – the system should be set up so that it rejects a user’s choice of password if they try to set a commonly used or weak password. Examples would include using frequently used passwords, leaked passwords from website breaches and common words or phrases that relate to the service the firm provides

The ICO recommends that other than the three issues above, no other restrictions should be imposed. Imposing too many restrictions could lead to:

  • Users re-using their passwords across multiple accounts
  • Weak passwords
  • Passwords being easily forgotten

Some systems provide for a password to automatically expire after a set period. The ICO recommends that firms only do this if it is “absolutely necessary” for a firm’s particular circumstances. It can lead to some of the issues listed above that are also associated with imposing too many restrictions. It can also cause people to change a single strong password for a series of weak passwords.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article