The UK Information Commissioner’s Office (ICO) – the UK privacy regulator – issued new information security guidelines on encryption methods and passwords, within its guide to the General Data Protection Regulation (GDPR).
The GDPR does not particularize what security measures organizations are required to implement in order to comply with the obligation to process personal data securely. The ICO’s guidance on password security recommends implementing a password policy within an organization, including the following:
- Password storage. Do not store passwords in plaintext; Use a suitable hashing algorithm.
- Password entry. Protect login pages with HTTPS; Prevent users from pasting passwords into the password field.
- Password requirements. Minimum password length should be no less than 10 characters; Allow the use of special characters, but don’t mandate it; Do not set restrictions on how users should create a password; Monitor passwords against a ‘password blacklist’ of the most commonly used passwords, leaked passwords from website breaches and common words or phrases that relate to the service; Remind users that they should not reuse passwords from other websites or services;
- Password defense. Rate-limit the number and frequency of incorrect login attempts.
With respect to encryption, the ICO recommends using it when storing and transmitting personal data. The ICO explains that the damage and distress caused by data breaches could be reduced or even avoided if personal data is encrypted.
Organizations should have a policy in place governing the use of encryption, including appropriate staff education. When implementing encryption, the ICO urges to consider the right algorithm, the right key size, the right software and the safekeeping of the key.