Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

GDPR: companies should look beyond passwords, says ICO

Online service providers should consider alternatives to passwords to keep their systems secure and meet their obligations under data protection laws, the UK's Information Commissioner's Office (ICO) has said.05 Nov 2018

In new guidance to help organisations comply with the General Data Protection Regulation (GDPR), the watchdog said passwords "carry well-known risks" but provided recommendations for organisations on how to ensure they operate a "good password system".

The ICO said, though, that to meet their obligations on keeping personal data secure under the GDPR, organisations must "consider whether there might be better alternatives to passwords that can be used to secure a system".

"Before designing and implementing a new password system, you should consider whether it is necessary to do so, or whether there is a better alternative that can provide secure access," the ICO said.

"One common alternative to designing and implementing your own solution is to utilise a single sign on (SSO) system. While this has its advantages (not least a reduction in the number of passwords that a user has to remember) you must ensure that you are happy with the level of security that is offered by that system. You must also consider what will happen if the SSO is compromised, as this will most likely also result in your user’s accounts being compromised," it said.

The GDPR is not specific about the security measures that organisations must put in place and do not mandate the use of passwords.

One of the overarching principles of the GDPR requires organisations to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

The 'security of processing' rules under Article 32 of the Regulation expand further on the principle's wording and provide a non-exhaustive list of the types of measures that organisations can put in place to meet their data security obligations.

The Article 32 rules also explain that organisations should give consideration to the "state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons" before landing on 'appropriate' security solutions.

In its guidance, the ICO also warned organisations not to store passwords in "plaintext". It said, though, that some "well-known hashing algorithms such as MD5 and SHA1" are unsuitable for 'hashing' passwords because both algorithms have "known security weaknesses which can be exploited". Businesses were warned not to use those hashing algorithms "in any circumstances".

"You should also consider avoiding other fast algorithms," it said. "Use a hashing algorithm that has been specifically designed for passwords, such as bcrypt, scrypt or PBKDF2, with a salt of appropriate length."

"It is important that you review the hashing algorithms you use, as over time they can become outdated. Guidance on algorithms is available from a number of organisations such as the National Institute of Standards in Technology (NIST) and the European Union Agency for Network and Information Security (ENISA)," it said.

Organisations were urged to deploy "password blacklisting" as part of measures to ensure users use strong passwords, and stressed that they could fall foul of the GDPR if they do not keep their password systems under "periodic review".

The ICO's new guidance on passwords in online services was published alongside additional guidance on encryption, which is specifically cited in Article 32 of the GDPR as an example of a measure organisations can implement to keep personal data secure.