A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements.
Companies in the EU must have password policies that are compliant with the General Data Protection Regulation (GDPR). Even if your company isn't based in the EU, these requirements apply if you have employees or customers residing in the EU or customers purchasing there.
In this post, we will look at GDPR requirements for passwords and provide practical tips on how to design your password policy. Remember, even if GDPR isn't required for you now, the fundamentals of a data protection regulation plan can help strengthen your organization's security.
You may be surprised to discover that the GDPR laws do not actually mention password policies at all. If you simply read the text, you may initially believe that a company can implement any password policy, without having any concerns over GDPR compliance.
However, the GDPR laws will impact password policy under the umbrella of prevention.
Any information that a company gathers from customers or other sources needs to be properly protected under GDPR compliance. This means having strong security measures to prevent hackers, and other unauthorized individuals, from gaining access to this data.
As we all know, one of the most important digital security steps in protecting any data is passwords.
The following are some best practices to consider when creating a strong password policy that will keep your systems safe, and get you closer to compliance.
A good password needs to be difficult to hack, or guess. Today, stolen and brute-forced credentials are the leading cause of data breaches. To protect your data against these attacks, a password policy should ban common and breached passwords.
Thanks to password reuse, many credential-based attacks use breached password lists from one system, to target another. Government agencies such as NIST, and the NCSC recommend blocking compromised and easily guessable passwords from being used altogether. This is one of the only ways to protect accounts, even if stronger password settings are enforced.
It is a common practice to set up 'secret questions' that can be answered in order to unlock or reset the password on an account.
One of the best ways you can improve your password security is to implement multi-factor authentication. This is where, in addition to a username and password, other factors are used to verify a user.
For example, this can be a one-time password that is generated specifically for the user on their mobile device during authentication.
Implementing GDPR for your non-EU business may seem like a headache, but the compliance and additional security protections will cover your bases from a legal and cyberattack prevention standpoint. This article sums up the how, why, and when of GDPR compliance if you're looking for additional intel.
When you're implementing a password policy for your AD with GDPR compliance in mind it's a good idea to use a 3-rd party tool to help your password policy reach your entire end-user directory.