A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements.
Companies in the EU must have password policies that are compliant with the General Data Protection Regulation (GDPR). Even if your company isn't based in the EU, these requirements apply if you have employees or customers residing in the EU or customers purchasing there.
In this post, we will look at GDPR requirements for passwords and provide practical tips on how to design your password policy. Remember, even if GDPR isn't required for you now, the fundamentals of a data protection regulation plan can help strengthen your organization's security.
Password requirements for GDPR compliance
You may be surprised to discover that the GDPR laws do not actually mention password policies at all. If you simply read the text, you may initially believe that a company can implement any password policy, without having any concerns over GDPR compliance.
However, the GDPR laws will impact password policy under the umbrella of prevention.
Preventing unauthorized access to information
Any information that a company gathers from customers or other sources needs to be properly protected under GDPR compliance. This means having strong security measures to prevent hackers, and other unauthorized individuals, from gaining access to this data.
As we all know, one of the most important digital security steps in protecting any data is passwords.
Tips for creating a GDPR compliant password policy
The following are some best practices to consider when creating a strong password policy that will keep your systems safe, and get you closer to compliance.
Use a password list to block compromised passwords
A good password needs to be difficult to hack, or guess. Today, stolen and brute-forced credentials are the leading cause of data breaches. To protect your data against these attacks, a password policy should ban common and breached passwords.
Thanks to password reuse, many credential-based attacks use breached password lists from one system, to target another. Government agencies such as NIST, and the NCSC recommend blocking compromised and easily guessable passwords from being used altogether. This is one of the only ways to protect accounts, even if stronger password settings are enforced.
Don't use secret questions
It is a common practice to set up 'secret questions' that can be answered in order to unlock or reset the password on an account.
Secret questions would be things like 'what is your mother's maiden name,' or 'what was your school mascot.' Since these types of questions can be vulnerable to social engineering attacks, it is best to avoid them completely.
Consider MFA
One of the best ways you can improve your password security is to implement multi-factor authentication. This is where, in addition to a username and password, other factors are used to verify a user.
For example, this can be a one-time password that is generated specifically for the user on their mobile device during authentication.
Making GDPR compliance simple
Implementing GDPR for your non-EU business may seem like a headache, but the compliance and additional security protections will cover your bases from a legal and cyberattack prevention standpoint. This article sums up the how, why, and when of GDPR compliance if you're looking for additional intel.
When you're implementing a password policy for your AD with GDPR compliance in mind it's a good idea to use a 3-rd party tool to help your password policy reach your entire end-user directory.
My favorite is Specops Password Policy which can help you block breached and other compromised passwords from Active Directory. During a password change in Active Directory, this service will block and notify users if the password they have chosen is found in a list of leaked passwords and provides dynamic feedback for password compliance. Specops Password Policy makes it easy to keep out vulnerable passwords and comply with the latest password guidelines.
Specops Password Policy keeps your policies organized and easily configurable |
Using a password policy tool not only helps with GDPR compliance in preventing unauthorized access to information, it keeps your internal AD infrastructures organized and safe. Specops Password Policy extends the functionality of Group Policy and simplifies the management of fine-grained password policies for a simpler approach to password security and compliance.
Whether you're using a password policy tool or educating end-users manually GDPR compliance can be an asset to any security infrastructure regardless of location, and don't forget it's mandatory if you're storing and EU citizen data.