GDPR Compliance: Checklist for User Password Security

The EU General Data Protection Regulation (GDPR) requires web service providers to implement technical and organizational requirements for data security when offering login areas for their users. German data protection supervisory authorities have issued guidance on how to secure passwords.

When EU users sign up to online services such as communities, web shops, mobile apps, or any other password-protected login zone, the information on the user profile is likely to fall within the scope of the GDPR, irrespective of in which country the data is processed or the data controller is located.

One of the legal obligations of data controllers under the GDPR is to take technical and organizational measures in order to ensure data security. As we recently highlighted, such measures should aim for

• Pseudonymization and encryption of the data
• Confidentiality, integrity, and resilience of IT systems and services
• Availability of data and ability to timely restore data after an incident
• Regular evaluation and update of technical and organizational measures for data security

In a paper by the German data protection supervisory authorities published in March 2019, they issue guidance on how these GDPR requirements must be understood with respect to password security of user accounts.

Guidance for Password Security by German Authorities

The German authorities provide some kind of a checklist of security measures. They consider their suggestions to reflect the technical state of the art and to be generally suitable for ensuring Art. 32 GDPR compliance, however, the authorities emphasize that choosing and implementing the security measures generally remains within the responsibility of the respective data controller. Hence, authorities do not require website or mobile app providers to apply all sugested measures.

This hint may also be understood as a reference to the fact that, by law, the security measures must be appropriate in relation to the risks of processing: Where, for example, sensitive health information of the user may be accessed, copied, or even altered in a password-protected area, stronger security measures must be applied.

The authorities recommend taking the following steps:

• Valuing and indicating password strength to the user: Data controllers must apply password standards that require the combination of certain factors, such as length, numbers, special characters, and sort out trivial combinations and passwords that have already been compromised. They suggest, as a rule, a minimum length of 10 characters for a moderately secure password.
• No regular password reset required: In case strong passwords as described above are used, service providers do not have to require their users to change passwords on a regular basis. Changing the password should, however, be mandatory in case the initial password has been assigned by the service provider via postal mail, or if there are indications of unauthorized accesses or security-relevant weaknesses of software components used.
• Dealing with failed login attempts: The failure of login attempts shall be registered and indicated to the authorized person at the next successful login. Login should be blocked temporarily or permanently in case of a high number of failed attempts, regarding both the number of attempts for the respective account and the number of attempts to log into the service with different user accounts using the same password.
• Dealing with compromised services: If a provider becomes aware that its service has been compromised, it must inform the competent supervisory authority and its users without delay in accordance with Art. 33 GDPR. In addition, appropriate measures must be taken to ensure that unauthorized persons do not gain access to the accounts with this compromised information.
• Notifications on important account events: Providers should inform their users of important events, such as the fact that a telephone number or e-mail address has just been changed to allow access to an account, or in case of successful logins from other countries.
• Secure password reset: Password resets must require secure authentication (e.g. providers should send a reset link that is only valid for a one-time login and expires after max. 1 hour). Security questions may be applied in addition to such e-mail.
• Encrypted transmission and storage of passwords: Passwords have to be transmitted and stored only in encrypted form, in particularly by hashing and salting. On the contrary, using symmetrical encryption algorithms (e.g. AES) may lead to further risks.
• Securing password databases from unauthorized Access: Providers must protect the databases in which they store user passwords from unauthorized access by their own personnel and third parties.
• Training of provider employees: Providers must regularly train their employees on data protection and information security issues, including on social engineering attacks.
• Offering two-factor authentication: In addition to password protection, providers may offer two-factor authentication. Once enabled, two-factor authentication may only be disabled using reasonably secure procedures. In cases of high-risk processing (e.g. access to health data), two-factor authentication is not a mere recommendation, but necessary to comply with the GDPR. Preference should be given to open procedures such as TOTP, which do not require the disclosure of additional personal data (mobile phone numbers). Furthermore, providers are advised to use standardized procedures such as WebAuthn.
• In order to limit the consequences of a possible compromise of data, the data used for authentication, especially passwords, should be stored logically separated from the content data in different database instances. This may also be achieved by separate encryption of the content data.
• Service providers should also inform their users about suitable password management software

Compliance documentation

Documentation of GDPR compliance is a legal obligation of data controllers. The measures taken can be reflected within the records of processing activities (Art. 30 GDPR), or within a data protection impact assessment (Art. 35 GDPR), in case such an assessment is required by law.