A DPO’s Guide to Strong Password Policies

Did you know that 80% of breaches involving hacking worldwide are linked to the use of lost or stolen credentials or brute force attacks?

That means that hackers are exploiting poor password management much more than system vulnerabilities. For Data Protection Officers (DPOs) and their infosecurity colleagues, this signals how important a strong password policy is in protecting your organisation’s data from a potential breach.

A good password policy is not just about creating strong passwords. Rather, DPOs must also be concerned about how employees handle passwords, if they update them regularly, and whether mechanisms are in place to prevent attacks.

The Personal Data Protection Commission (PDPC) advises that password policies be properly documented and clearly disseminated to employees. Without a policy in writing, employees have no reference for policies and practices to be followed.

In the course of enforcing the Personal Data Protection Act (PDPA) of Singapore, the PDPC has noted that some cases have involved emails with personal data, sometimes large amounts, sent via an email service without any password protection.

There was also at least one case whereby an unused administrator account with the same username and password of “admin” remained in a system for nearly a year after the employee had left the organisation.

With such cases in mind, here are 10 password policy must-haves to help DPOs ensure that your own password policies, one of five common vulnerabilities for data breaches, are sound and up to date.

Find out more about data protection in our 101 guide here.

10 must-have practices for your password policies

1. Change default passwords immediately

Failing to change default passwords immediately makes you vulnerable to brute force and dictionary attacks. It also makes the organisation vulnerable to password spraying, an attack wherein cybercriminals input default passwords into several accounts, instead of trying to crack one account. Thus, the failure of just one employee to change a default password puts the whole organisation at risk.

2. Create a strong password

Enforce a minimum password length, and require your employees to create complex passwords. Using passphrases, such as il0v3this@rticl3 is one way to generate complex passwords. You can use the Cyber Security Agency of Singapore’s Password Strength Checker to verify how strong your passwords are.

Employees should also be trained not to use the same password for different accounts, especially work and personal accounts. LastPass reported that companies with 1,000 employees or fewer reuse an average of 10–14 passwords per employee.

3. Create a lockout mechanism

Implementing a lockout mechanism, where users are only allowed a maximum number of attempts to enter the correct password, also helps protect your organisation from brute force and dictionary attacks. Cybercriminals can easily obtain brute-force hacking tools on criminal marketplaces for just $4 on average, according to a Digital Shadows report.

Although this is usually limited to 3 attempts, the maximum number of attempts should depend on how much data and what kind of data will be compromised if the account is breached.

Aside from lockout mechanisms, implementing a delay after a failed login attempt or using CAPTCHAs also help guard against brute-force attacks.

4. Password expiry mechanisms

Password expiry mechanisms should be in place to force employees to change their passwords periodically. The period of expiry should be determined based on the risk of damage that will occur should the account be breached. However, the period can be lengthened if a good level of password complexity is enforced.

It is also best to enforce mechanisms that do not allow users to reuse passwords within the last 3 changes, as these may still be on a hacker’s list. Train employees not to simply make variations of old passwords (e.g. from dataprotection to dataprotection1!), since these are also easily cracked.

5. No sharing of passwords

While this may seem like a common sense no-no, Google reports that 43% of Americans have shared their password with someone else.

6. Do not display your password in public

Unfortunately, 42% of organisations still rely on sticky notes for password management, according to Ponemon Institute. Aside from sticky notes, employees must be trained not to store passwords on note-taking apps or on their email accounts.

Your password policy should also prohibit developers from storing passwords and access codes in publicly accessible web folders, or in code and configuration files. Commeasure, operator of international hotel chain RedDoorz, was fined $74,000 in 2021 for failing to secure the access key to their Amazon Web Services cloud server. The access key was embedded in an application package which was available for public download on the Google Play Store.

Similarly, for password-protected documents, it is best practice to send the password to the recipient through another channel and not the same email.

7. Encrypt passwords

While employees should be taught to store their passwords securely, IT personnel should also sufficiently protect all account passwords.

For instance, IT personnel should ensure that passwords are not visible in plain text when they are being typed by users. Passwords should also be encrypted during transmission and hashed during storage. Encryption should be at par with industry standards and must be reviewed periodically.

8. Require employees to log out

Employees should log out before leaving their computer unattended. This protects against colleagues accidentally gaining access to information that they should not have access to.

9. Multi-factor authentication

Multi-factor authentication (MFA) increases security by preventing access by malicious actors who may know your password. According to Microsoft, MFA can block over 99.9% of account compromise attacks.

MFA must be required especially when sensitive data or large volumes of data are at stake. Administrative accounts, for instance, should use MFA.

In 2021, the National Kidney Foundation was issued a warning by the PDPC after an investigation revealed that MFA was not being implemented, given the nature of personal data they were handling on a daily basis (i.e. health and financial data). A warning was issued despite the foundation having a written password policy and employee training programs in place.

10. Remove inactive accounts

Though inactive accounts may seem harmless, they increase the risk of a breach, especially when password expiry and lockout mechanisms are not in place. Cybercriminals can use inactive accounts to lurk within the organisation without anyone noticing, since these accounts have been forgotten.

Inactive accounts arise when employees leave the organisation, when they are given a new role, or when IT personnel create test accounts. It is important to review accounts periodically and coordinate with Human Resources for employee changes, so that inactive accounts are removed as soon as possible.

In conclusion, password policies are an essential part of your data protection management program. While this list serves as a guide for DPOs to work with their infosecurity teams to develop and audit their password policies, paper compliance is never enough. Employees must be trained and frequently reminded of the organisation’s password policy to ensure that it is enforced in day-to-day operations.

Move beyond paper compliance and learn how to develop a data protection management programme for your organisation by enrolling in our DPMP course.

To learn more about how to protect info security assets, sign up for our course here.