Best Practice Update

Passwords – simplifying the approach

Despite user frustrations that often result in poor passwords being used, passwords remain a key defence against unauthorised access to systems and personal data. And although the GDPR does not give prescriptive guidance on passwords, it does require organisations to implement technological and organisational measures to show they have considered and integrated data protection into their data processing activities.

Read on... and make use of the additional resources and training PPT materials / policy documents also available on the Knowledge bank. (Links provided in the article below.)


So, when considering passwords, what does the latest evidence and guidance suggest?

1) Despite years of advice, many users still use weak passwords or keep them insecurely (e.g. written down) and often share passwords with partners or co-workers without changing them afterwards;

2) Users have such a HUGE number of passwords to remember and update, so it is of no wonder that many revert to the ‘bad practices’ in (1);

3) Previous guidelines on creating short but complex, hard to remember (but easy for computers to guess) passwords AND having to change them regularly are flawed.


What can you do?

1) Check your policies and procedures

Many organisations are looking at policies including Password and Acceptable Use Policies in light of the GDPR. The DPE Model Password Policy template is now available here.

If you are planning to update yours, now is a good time to consider the simplified approach at a policy/systems level as advocated by the National Cyber Security Centre. Read more here.

The key message is to lessen the workload that complex passwords impose on users.

  • Having to remember many complex 8-character passwords is hard – but easy for computers to guess, so stringent ‘character requirements’ are not always the answer;
  • Longer is often stronger (as long as it is randomised words characters, rather than lyrics/religious passages etc that hackers will have access to, to check for matches);
  • Regular password changing harms rather than improves security. However, users must change their passwords if it’s been shared or suspicious activity has occurred;
  • Policies should prohibit password sharing;
  • Technological controls such as lockouts for suspicious activity should be implemented and more stringent rules/two factor authentication should be considered for access control to admin accounts/devices with sensitive data.

2) Increase staff and student awareness through training and reinforcement activities

DPE training and resources that can help you achieve this include:

  • E-learning - GDPR Data Protection 101 – Passwords are covered in Module 2 in the cyber-security topic;

  • PowerPoint slides for a staff awareness session: TAKE FIVE series - Focal Point Password Security.
    Use these slides e.g. at staff meetings as a refresher on what staff and students should know and do - download the slide deck here.

  • Drip Feed Posters - check out the two Password related posters "Keep it long Keep it strong" and "Creating a strong password" to print out and display here.


Article version 1 - release 25/6/2018. Author - Jo Kaptijn.