ICO guidance on encryption and use of passwords in online services

How can data controllers and processers improve their security measures?

The background

The Information Commissioner’s Office (ICO) has released guidance on encryption and the use of passwords and online services.  The aim is to assist data controllers and processors in processing personal data, in accordance with Article 32 of the GDPR, with the “appropriate technical and organisational measures”.

The development

Encryption

The ICO has advised that controllers and processors should have policies that adequately regulate the use and implementation of encryption, including educating staff and being up to date with specific guidance and standards.  The ICO recommends that the encryption of data in storage protects data against unlawful or unauthorised processing.  It also informs that an effective method of safeguarding the data from interception from another party is to encrypt the data whilst it is being transferred.

The ICO has also listed four areas to consider when implementing encryption:

• selecting the right algorithm (and regularly examining its appropriateness)
• selecting the right key size (and ensuring it is large enough to protect from a data attack)
• selecting the right software (and ensuring that it meets current standards FIPS 140-2 and FIPS 197)
• keeping the key secure (and having systems to produce new keys if necessary).

Passwords

Although the GDPR does not expressly refer to passwords, any password system has to be “appropriate”, meaning that the password set up should be periodically reviewed and updated. 

The ICO questions whether the use of passwords is the safest system to use to protect personal data.  The guidance argues that the number of passwords that the common user of an online service has to create results in both short and memorable passwords that are used across a number of webpages.  The risk of what is known as “credential stuffing”, was illustrated in 2012, when LinkedIn suffered a data breach and lost the passwords of 165m customers, which resulted in a number of other account breaches due to the similarity of their passwords on other sites.

The ICO recommends that a password system should make the accessing of stored passwords (in a readable form) as tricky as possible and also prohibit attackers from attempting to guess the password and username.  The ICO also suggests limiting the number of login attempts allowed and basing this number on the perceived behaviour of both attackers and users.

The ICO specifies that hashing algorithms should be used in storing the passwords, rather than being kept in plain text.  Regular assessment of the hashing algorithm is also necessary to protect the personal data.  The ICO also states that login pages should be protected with HTTPS or a similar provision.

The ICO has listed three areas to consider for any password system:

• password length (which should be no less than 10 characters)
• allowing special characters
• password blacklisting, where passwords are compared to passwords on a “blacklist” which contains popular passwords, passwords that relate to the relevant service and former leaked passwords.

The ICO also notes that ideally a system should provide an easy way for users to construct a secure password and that a website should only have a password renewal system when it is completely essential for the circumstances. 

Why is this important?

As “appropriate measures” are not defined in Article 32, the guidance is particularly helpful in ensuring that the right measures are taken with respect to encryption and passwords.  All the more important when the ICO also makes it clear that regulatory action may be pursued if non-encrypted data is destroyed or lost.

Any practical tips?

Do not create a burdensome security process for users, whether in setting restrictions on the creation of a password, or requiring regular changes, as research suggests that this behaviour will cause the user to create weaker passwords.  Remember also that if you are gathering data from the user to strengthen the password authentication system then this may be considered as processing data and you may be subject to the GDPR.