Cybersecurity: Understanding passwords

If implementing enough cybersecurity to adhere to privacy law is so complex, and massive breaches and software vulnerabilities seem to be reported in the press on a weekly basis, then why are experts quite so preoccupied by the handfuls of jumbled characters people choose before they can get on with that thing they’re paid to do?!

There is a consensus amongst cybersecurity professionals that passwords are a perfect example of the worst way to do security…

Passwords are used where a software developer needs to provide a way for a user to prove who they are (or perhaps their age, their right to access specific data or just that they are a human being). They are a short string of characters that are normally chosen by the user – after several attempts, much swearing and a second, more careful, read of the instructions about which combinations of characters are allowed.

They are pervasive, because they are ‘free’ for the developer to implement and don’t need the customer to invest in additional technologies, such as card readers or biometric systems. Unfortunately, all of the cost of this security measure then falls on the user[1]

The reason that this security measure causes so many security problems is because it is so hard to use.

Not only are they difficult to use and difficult to train staff to use, it is difficult for service providers to ensure that the mechanisms that check that the password we enter is correct is both robust and secure. Both the Data Protection Act and the new EU General Data Protection Regulation have requirements related to the use and treatment of passwords.

One focus is the strength of the password – how long it would take a hypothetical attacker to work out what it is. In our infographic we’ve provided some insight into how the choice of characters influences password strength, as well as discussing some other issues around commonly chosen passwords.

Using physical security as a metaphor, passwords are our keys to locked doors in the virtual world, and with the increasing value of the data we store online, it’s time we started looking after them as well as we look after the keys to our homes, offices and cars. 

But as well as the challenges passwords present to users, passwords are challenging for service providers to implement, especially justifying investing in the level of behind-the-scenes protections needed to fortify a password system. 

Privacy legislation, certainly once the GDPR comes into effect, will expect greater accountability (this is in fact a new data protection principle underpinning the GDPR) and enforce substantially greater penalties on organisations that do not invest in suitable technology to safeguard password security, especially where a personal data breach can lead to data subjects suffering financial loss.  This is aside from the reputational cost that may be inflicted, along with any other losses and claims.

Organisations, if they have not already done so, would be prudent to review their password technology from user and server sides prior to the implementation of the GDPR. 

Click here to download a more detailed overview of what passwords are intended to achieve, why they’re so hard to use, why they haven’t been replaced and what users and service providers can do to make them more secure.

About our Cybersecurity Series
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here

[1] https://www.microsoft.com/en-us/research/publication/so-long-and-no-thanks-for-the-externalities-the-rational-rejection-of-security-advice-by-users/