Information security—passwords
Information security—passwords

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Information security—passwords
  • Introduction to passwords
  • Regulatory requirements
  • The security principle
  • Data protection by design and default
  • Passwords and data breaches
  • When and how to use passwords
  • Assessing risk
  • Risks and technical considerations
  • Password storage
  • More...

Information security—passwords

Passwords are a widely available method of protecting access to personal data and the systems used to process it. They are relatively affordable and simple to implement, so is recommended by the Information Commissioner’s Office (ICO) as a means of protecting personal data.

Organisations could be subject to regulatory action where appropriate data protection measures have not been implemented. Many data breach incidents investigated by the ICO where personal data was stolen, lost or accessed without appropriate authorisation, would have been less severe if the data been adequately protected.

This Practice Note reflects the ICO’s detailed Guidance on passwords to help organisations understand their options and responsibilities, as well as the UK General Data Protection Regulation (UK GDPR).

Introduction to passwords

One of the biggest issues when handling personal data and other information is making sure that access to it is available to those who need it, while preventing access by unauthorised individuals. This means you need to authenticate and authorise the individual who is attempting to access it. This is commonly done by checking for something an individual:

  1. has, eg a tangible device such as a smart card

  2. is, eg biometric measures such as retina scans or fingerprints

  3. knows, ie a password

Passwords are the most common, as they are the easiest to put into place and familiar to most users, whether employees or customers.

However, there

Popular documents