Strong passwords not necessarily the most secure – ICO publishes new guidance on encryption and passwords in online services

On 1 November 2018 the Information Commissioner’s Office (ICO) published new guidance on passwords in online services and encryption to comply with the General Data Protection Regulation (GDPR).

The ICO’s guidance around online password systems is particularly interesting, as it defies the common sense expectation that a more complex password will necessarily be the best option from a data security perspective. Passwords are often seen as sufficiently “secure” if their chosen words are sufficiently strong or complex, but this fails to take into account the natural human inclination to choose easily memorable words or that they may be shared amongst users or be easily guessed by attackers.

Additionally, individuals are becoming increasingly overwhelmed with the number of access credentials they need to remember and default to reusing short or memorable passwords, often following a similar theme, which can provide unauthorised parties with easy access to multiple accounts.

What does the GDPR say about security?

Article 32 of the GDPR imposes a general obligation for controllers and processors to adopt “appropriate technical and organisational measures” (appropriate to the circumstances) to safeguard any processed personal data. Encryption is specified as one way of demonstrating compliance with this obligation, while the ICO refers to the use of passwords in this context, being a common way of protecting access to systems that process personal data. Both forms of security measures must be “appropriate” to the risks, costs and issues involved, and can be used to demonstrate compliance with this obligation.

Both guides provide some detailed technical suggestions for implementing their advice in practice.

Below are some key practical takeaways:

Encryption

• Organisations should have dedicated policies and training for staff in the use of encryption.
• Encryption should not be seen as the be-all and end-all of security measures. Organisations need to be aware of the residual risks that still remain within encrypted systems (e.g. if an employee walks away from an unlocked laptop, thereby temporarily leaving an encrypted device in an unencrypted form), and take appropriate remedial measures.
• Processes in place should be periodically reviewed to ensure they are still fit for purpose, particularly to protect against vulnerabilities in encryption algorithms and key size which may be discovered over time.
• Loss or destruction of unencrypted data could be grounds for the ICO to pursue regulatory action.
• Encryption should be used for both storing and transmitting data. This can provide effective protection against unauthorised or unlawful processing, or against interception by a third party.
• When transmitting data, organisations should encrypt the actual personal data being transferred as well as using an encrypted communication channel over a trusted network. It is possible to transmit encrypted data over an insecure channel and vice versa, but using a secure channel will ensure that the content cannot be understood if intercepted, and transmitting unencrypted data over a secure channel will mean that the data will only be encrypted while in transit.
• Organisations should be aware of any sector-specific guidance applicable to them, which may make encryption mandatory or subject to additional conditions (e.g. NHS guidance for health and care organisations).

Passwords

• Systems should be periodically reviewed to check they are still fit for purpose, in particular to ensure that they can meet evolving technological threats. For example, advances in processing power can reduce the effectiveness of cryptography.
• Organisations need to implement the “data protection by design and default” approach advocated by Article 25 GDPR to its password systems. In essence, this means data protection considerations and compliance need to be integrated into all aspects of an organisation’s processing activities and business practices throughout a system’s lifecycle, including by identifying (and restricting their processing to) the minimum data required to achieve a particular purpose, and being upfront with individuals about such processing.
• Interestingly, the ICO questions whether passwords will always be the best choice for authentication. Passwords are often seen as sufficiently “secure” if their chosen words are sufficiently strong or complex, but this fails to take into account the natural human inclination to choose easily memorable words or that they may be shared amongst users or be easily guessed by attackers. Password systems should not make it excessively onerous for individuals to keep their account secure.
• Additionally, individuals are becoming increasingly overwhelmed with the number of access credentials they need to remember and default to reusing short or memorable passwords, often following a similar theme, that can provide unauthorised parties with easy access to multiple accounts. This can lead to “credential stuffing”, whereby a breach of the access credentials of one service can be used to test access against other online services.
• A system that involves regular expiry and refreshing of passwords may not always be beneficial, as this can cause users to change a strong password for a series of weaker ones. It may be better for users to be required to create a strong password that is only changed when necessary (e.g. after a breach).
• Password reset processes should be secure, and not be transmitted directly over email (even if temporary) or be able to be read to a user over the phone. Use one-time links or set a separate phone password for the account to validate a user over the phone.

Conclusions

The key message across both guides is that while encryption and password protection will certainly be accepted and highly recommended methods of appropriate security measures, organisations should not be complacent and assume that having any such systems in place in themselves will be enough to ensure GDPR compliance. Given the GDPR principle of data protection by design and default, organisations need to ensure that technical security measures are – and remain – fit for purpose specific to each organisation’s particular circumstances and processing activities over the course of the system’s entire life cycle.

Both guides, particularly the password guidance, would be useful reading for those involved in the IT or security sector as they provide a fair bit of technical detail about suggested measures, such as how to store passwords, ideal maximum restrictions for passwords, appropriate hashing algorithms to use and the standards that should be met by encryption software. They also provide sources for obtaining further information, such as the National Cyber Security Centre (NCSC) and GetSafeOnline.

The ICO’s guidance on online passwords can be found here and the ICO’s guidance on encryption can be found here.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now