Published on Thursday, May 2, 2019 - 10:17 by Camilla Winlo
Today is the 6th annual World Password Day, the day when organisations around the world are encouraged to celebrate good password security. It doesn’t seem to have a theme this year, but last year the theme was #LayerUp (or multi-factor authentication to you and me) and frankly that still seems like an excellent choice.
The idea is that organisations with 2FA or MFA technologies use today to educate their users about the benefits and encourage them to enable the features, particularly on their bank account, email and social media.
If your organisation isn’t ready for that, or wants to add to it, the National Cyber Security Centre (NCSC) is recommending that password should be Three Random Words.
While it may be obvious to information security and data protection experts, most other password users aren’t aware that their password is part of the encryption process that protects their data. They also don’t always appreciate the problems weak password security can cause, for themselves or their organisations.
The problem is, humans need to be able to remember passwords. The National Cyber Security Centre published its first UK Cyber Survey on 21 April 2019, showing that an astonishing 23.2 million breached accounts worldwide were ‘protected’ by the password 123456. Hundreds of thousands of people were using easily guessable information such as their favourite football team or musician.
Layering up helps with this by adding ‘something you have’ to the ‘something you know’ making the attack more complex and requiring more skills from the attackers.
Why Three Random Words?
Three Random Words helps by making the password longer. That protects it against both brute force attacks and guesswork. It is tricky for humans to choose three genuinely unconnected words that are still memorable, but it is stronger than one word.
Password security and GDPR
Article 32 requires organisations to implement ‘appropriate organisational and technical measures’. If your organisation is following guidance such as that promoted by World Password Day or the National Cyber Security Centre, it is easier to demonstrate that your measures are appropriate.
Most up to date systems should facilitate at least one of these approaches, but we do still see systems that restrict the length of passwords or don’t provide feedback to users on password strength. It would be more difficult to demonstrate that such a system met the requirements of Article 32.
However you choose to celebrate World Password Day, we hope you will use it as an opportunity to talk about information security with your employees and to consider the role and effectiveness of passwords in your data protection risk management armoury.