Why ‘password1’ no longer makes the cut under GDPR
On 5 August, the French data protection authority announced its decision to fine Spartoo SAS (an online shoes, clothing and accessories retailer) €250,000 for multiple GDPR violations.
The list of violations cited by the CNIL include:
- breach of Article 5(1)(c) (data minimisation)
- breach of Article 5(1)(e) (data retention)
- breach of Article 13 (duty to inform data subjects of the circumstances surrounding the processing of their personal data
- breach of Article 32 (duty to take adequate measures to ensure the security of personal data).
In relation to Article 32, it was found that Spartoo SAS had failed to put in place adequately robust password policies in relation to customer accounts, which resulted in their failure to ensure the security of the data related to these accounts as required under Article 32.
In their written decision (available here in French) CNIL examined Spartoo’s existing password rules and commented that a password made up of only 8 characters and only one category of character (e.g. lowercase only) was not strong enough - and that Spartoo had been unable to demonstrate how passwords of this nature were sufficiently robust to withstand cyber attacks.
But CNIL didn’t stop at publicly airing Spartoo’s lax (or some might say, non-existent) password policy, and went on to advise that a suitable password policy would contain one of the following rules:
- Passwords should be made up of a minimum of 12 characters, containing at least one capital and one lower case letter, one number and one special character; or
- Passwords should be made up of a minimum of 8 characters, containing 3 – 4 categories of characters and should be accompanied by an additional security measure (such as account lock out after a set number of incorrect entries).
In visual terms it appears, Spartoo’s ‘password’ will need to be upgraded to ‘Pa$sw0rD!912’.
So what does this mean for UK based organisations? Well, UK organisations are clearly not obliged to follow the guidance in the decision of the French data protection authority, but are obliged to consider the ICO’s guidance on the topic.
According to the ICO, passwords should be no less than 10 characters long, can contain special characters (although this should not be made mandatory by organisations), and organisations should consider ‘blacklisting’ commonly used words or phrases.
Interestingly, the ICO notes that setting too many requirements in your password policy might result in reuse of passwords across multiple accounts or in forgetting passwords, which will strain password reset systems.
So while it might not be best practice to impose very complex password policies akin to those recommended by CNIL, organisations certainly need to be aware that failure to put in place a robust password policy can leave them equally at risk of enforcement even if such failure doesn’t result in a cyber-related data breach.
For a little bit more help and clarity with password policies, the ICO recommends this guide published by the National Cyber Security Centre.
12th November 2020
The EDPB has issued its recommendations on measures that organisations can adopt for compliance.
30th July 2020
Hear from our experts on some of the key regulatory developments you need to know.
2nd July 2020
We look back over the last 12 months and issues for businesses coming out of lockdown.