Tagged in: GDPR compliant


How to create a GDPR compliant password policy

GDPR stands for General Data Protection Regulation which came into force in May 2018 for European Union. This rule applies to all the organizations that are doing business with European citizens even if they are not from EU.

As like other data-protection regulations, GDPR is vague when it comes to the exact details of how to implement a GDPR compliant security policy. For example, there’s no mention of passwords, but it does demand a high level of protection over personally identifiable data.

The procedures for accessing this data must take every reasonable measure to ensure compliance, as ignorance is not a valid excuse for failing to protect customer data.

First of all we need to make user to understand what strong password is. Policy should have specified some basic rules which constitute an acceptable password, namely passwords that are impossible to hack with a brute force attack.

A strong password should be difficult for a computer to guess by trying every possible combination of characters. The longer the password and the larger the character set, the longer it would take to crack. It should be always alpha numeric along with some special characters like symbols.

Personal information should be prohibited

most challenging aspect while preparing the compliant password policy is always finding the right comparison between what’s memorable & what is secure.

Few users choose to write the password to avoid forgetting them which is an extraordinarily bad idea. Some users also use like birthday, pet name & other family members name as password which is again incorrect.

This is often found that cybercriminals trace those kinds of passwords while checking the information on social media. Train your employees about the dangers of using personal information as passwords.

Single sign on implementation

It is normal that people with multiple accounts on different sites use different passwords. So it is possible for them to forget those passwords.

In the workplace especially, it makes sense to implement a single sign-on feature that provides employees with immediate access to every system they need to do their jobs.

Administrators can further manage access rights to ensure they follow the principle of least privilege. Single sign-on shouldn’t mean providing access to all the data in your company’s care.

Regular password reset should not be enforced

Industry experts have always recommended that users should regularly reset their passwords after every three months. But it is not necessary as chances are higher for the users to forget the new password.