How to handle passwords under GDPR
Two key regulations that have impacted the security and privacy landscape are the European Unions General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Although both legislations are applicable to their own jurisdictions, they have considerable impact on how companies around the globe operate. We live in a globalized online economy, where your business can have customers across the world, and you should be careful not to run afoul of any of these regulatory measures, and others that will come in the future.
In this article, we will examine what the GDPR and CCPA mean for the handling of passwords and user accounts and how you can make sure you remain compliant to the rules now and in the future.
The GDPR came into effect in 2018 and its main purpose is to protect the personal data of users. This has become a critical issue as our lives become increasingly digitized. GDPR provides broad guidelines that encompass the handling of user data, the use of automated decision making, and response to data breaches.
Although it does not lay out an exact policy about the way organizations should handle passwords, GDPR does provide a few important rules about personal data. Article 5(1)(f) of the regulation states that organizations must ensure “appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This is not a direct password policy, but it means that you must implement an appropriate authentication mechanism that prevents unauthorized parties from accessing a system that processes personal data.
What does “appropriate” mean. Again, it’s not clearly defined, but Article 32 provides further guidance: “Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
That paragraph is a bit loaded, but in a nutshell, it means that authentication is an ever-changing landscape. Technologies that are considered secure today might be hackable tomorrow. A stark example is MD5 and SHA-1 hashing algorithms, which are insecure and can be reversed. The implication is that you have to constantly review your password and authentication policy with the latest technological advances.
The CCPA, which came into effect on January 1, 2020, will set stringent rules on companies that handle data of California citizens. Many experts believe that CCPA is harsher than GDPR in penalizing companies that break its rules. And other U.S. states are considering adopting similar rules, which will make things even more complicated for companies that have users in U.S.
This will put a lot of strain on companies that continue to maintain password databases. The CCPA is a bit vague on authentication, but holds companies to account for the level of security being proportionate with the sensitivity of the data being handled.
It also considers “password, or credentials allowing access to an account” as personal information and fines companies who would lose access to “email address in combination with a password or security question and answer” that would permit an unauthorized party to access a user account.
Companies will be held to account for adopting the necessary measure to detect fraudulent access to user accounts.
Long story short, under the CCPA you have better come packed with enough security to protect your users’ accounts and identities against unwanted access. Failing to do so can have grave consequences.
Making things more tenuous are similar legislation that is being considered. One example is “The Information Privacy: Connected Devices,” also passed into law in California, which, among others, fines internet of things (IoT) manufacturers that use weak and common default passwords such as “admin” and “password” on their devices.
What’s the solution?
Despite these warnings, many organizations still choose passwords. But passwords have well-known vulnerabilities and can be hacked in many ways. Even the most secure implementation of passwords will depend on users choosing long and complicated passwords (most users don’t).
One of the traditional workarounds is to add multi-factor authentication (MFA) by adding extra authentication factors such as one-time passwords sent to mobile phones or the requirement of a physical key. Those measures improve the protection of user accounts considerably, but not all of them are equally secure, and some people are likely to opt out of MFA due to the degraded user experience. Moreover, many organizations don’t enforce MFA by default in fear of disenchanting users.
In 2020, poor passwords and password authentication implementation continue to remain the main cause of data breaches.
With GDPR and CCPA holding organizations to account for their practices, there’s increasing incentive to implement more secure authentication systems. At the same time, companies and organizations are looking for authentication technologies that will keep them in conformance with the latest security requirements while also providing ease of use to their users.
As we’ve seen in these pages before, the most secure password is one that does not exist. While password–less technologies such as biometric authentication have been around for several years, until recently, they were both hard to implement and their total cost of ownership was relatively high, making them an unattractive option for many organizations.
But today, there are easy-to-implement and cost-efficient solutions that combine the best of both worlds, providing optimal security without compromising ease-of-use or imposing severe costs on organizations. One such solution is the Secret Double Octopus authentication technology.
Secret Double Octopus is a hardware-free, password-less authentication that is resilient to phishing, man-in-the-middle attacks, and other password-related hacks such as “credential stuffing.” Secret Double Octopus integrates with most server platforms such as Active Directory and Linux LDAP, and is compliant with the FIDO and FIDO 2 specifications, which have become the de-facto standard for many critical sectors such as finance and health care.
With passwords out of the way and robust and convenient authentication mechanism, there’s a likely chance that you will avoid running afoul of GDPR, CCPA, and other regulations looming on the horizon, saving you headaches and a lot of money.
Find out more about how you can secure your business here.