A General Data Protection Regulation password policy

What is the GDPR?

The General Data Protection Regulation (GDPR) was enacted by the European Union in April 2016. It was passed as a replacement of an outdated data protection directive from 1995. The GDPR focuses on regulations to properly collect, store, transmit, and handle EU citizens' personal and sensitive data, both inside and outside the EU. Companies handling such sensitive data must ensure compliance with the GDPR.

What are the GDPR password requirements?

The GDPR does not mention any specific requirements concerning password security. However, organizations seeking comprehensive GDPR compliance are encouraged to adopt the following password and authentication best practices:

1. The minimum password length should be eight characters.
2. Old passwords must not be repeated.
3. Passwords should not contain personal information or dictionary words.
4. Passphrases are recommended for passwords.
5. Passwords should contain at least one character from each of the five character categories: uppercase, lowercase, numeric, special, and Unicode characters.
6. Passwords should never be stored in plaintext but should be encrypted using strong encryption algorithms.
7. Users must be authenticated with MFA techniques.

Make your organization GDPR-compliant with ADSelfService Plus

ADSelfService Plus offers strong password policy and MFA settings that can help your organization comply with the password and authentication best practices listed above. You can create a custom password policy over the built-in AD password policies and enforce it on all AD users or just specific ones based on their domain, OU, or group memberships.

1. Ban weak passwords: Block leaked or weak AD passwords, patterns, and palindromes.
2. Set a custom password length: Make longer passwords mandatory by specifying the minimum password length.
3. Enforce password histories: Ensure strong passwords by prohibiting users from reusing a set number of their previous passwords during resets and changes.
4. Ensure password complexity: Allow users to use Unicode characters in their passwords in addition to uppercase, lowercase, special, and numeric characters.
5. Mandate MFA for users: Secure user access to resources by enabling MFA for machines, applications, VPNs, and OWA. Choose from a range of 20 different MFA authenticators to verify users' identities.

Benefits of using ADSelfService Plus to comply with the GDPR

• Increased password security: Enforce passphrases and restrict consecutive repeated characters and common character types in passwords. Enable the Password Strength Analyzer to give users instant visual feedback on their password strength when they change or reset their AD passwords.
• Fine-grain flexibility: Create different password policies for different users accessing different levels of sensitive data depending on the OUs or groups that they belong to in the organization.
• Advanced MFA techniques: Implement adaptive MFA techniques, like conditional access and customizable trust options, to authenticate users based on their location, IP address, and device type.
• Compliance with regulations and standards: Ensure that your organization complies not only with GDPR standards but also with NIST SP 800-63B, PCI DSS, CJIS Security Policy, and SOX compliance mandates.