- GDPR is concerned with the collection, processing, and protection of sensitive personal data for citizens of the EU. Under GDPR, personal data is considered anything that may be able to identify directly or indirectly an individual. This would include basics like names and addresses, but also encompasses data such as ID numbers, IP addresses, phone numbers, health records, and biometric data.
- Weak passwords are easily obtained by threat actors and used for credential stuffing and password spraying attacks which the European Data Protection Board has issued guidance saying are reportable breaches.
- Consider adopting a 16 character or longer minimum as part of a password policy.
- Multi-factor authentication should be required to reset any password. This will ensure that it is truly the proper user resetting the password and not an attacker imitating a user.
- Best practices are to have passwords hashed when stored in a database and to be hashed with a strong encryption algorithm such as SHA-256 or SHA-512.
– Enzoic | March 18, 2021