Hy-WpwD_2021! – Happy World Password Day!
May 6 is World Password Day – and the combination of username and password is still one of the most widely used methods for authentication. Reason enough for us to offer you some background knowledge for the security of your data.
Here are some facts you might not know about passwords:
- Passwords are a technical and organizational measure (TOM) in accordance with Article 32 GDPR. The use of insufficient TOMs may result in heavy fines for data controllers within the meaning of the GDPR, Article 83(4) GDPR.
- Attackers are able to check several billion passwords per second.
- Unlike in the past, it is no longer recommended to change passwords regularly, as this does not increase protection (e.g., according to the UK National Cyber Security Centre). Instead, many users choose passwords that are too simple.
- Passwords should not be used elsewhere because they may have become public previously due to security vulnerabilities.
The most common recommendations for creating secure passwords are as follows:
Create passwords that are at least 12 characters long, use lowercase and uppercase characters, numbers and special characters, or best of all, use the “first letter method” recommended by the Federal Office for Information Security: simply think of a sentence and use the first letter of each word.
e.g.: Heuking helps me with data protection 365 days / year! becomes Hhmwdp365d/y!
One particularly unusual tip involves lying when responding to security questions – after all, it is fairly easy to find out your mother’s date of birth.
What if all of this is too complicated for you? Recommendations and information on the use of password safes can be found, for example, at the Data Protection Authority for the state of Baden-Württemberg.
What do businesses need to consider?
First of all, you should ensure that your employees comply with the requirements for secure passwords – such as by way of a password policy or the mandatory change of preset passwords. System administrators should never store passwords in plain text and independently secure password databases against access.
Secure passwords are obviously not sufficient: Article 32 GDPR imposes further requirements on security in businesses, which must be implemented depending on companies’ size and capabilities, but also depending on the level of security required by the data. Initial guidance is found in the checklist of the Data Protection Authority for the state of Bavaria for implementing Article 32 GDPR. For any additional support in the implementation, please do not hesitate to contact us.
You have changed all passwords and safely stored them in the password safe? Take a look at the IT Security chapter in our Guide to the Law of Digitalization, which we drafted for Hamburg Chamber of Commerce’s Competence Center 4.0, and find out what else you can do to protect your data. Valuable information and articles on the entire field of Cyber Security are also available on our website.