Privacy Not Protected by Short Passwords?

The Commission nationale de l’informatique et des libertés (CNIL – the French privacy authority) has recently found a company in breach of its duty to protect the personal information of its employees because the company used unduly short passwords that were too easy to guess and that were not changed often enough. (See the story on Le Village de la Justice)

According to the CNIL, the employer should have had a password policy that required longer passwords composed of letters, numbers and special characters, and that also required that the passwords be changed frequently.

It was not demonstrated that anyone had actually had his or her password hacked or information accessed; the point was theoretical only, but nonetheless the CNIL imposed a fine of 10,000 euros.

In Canada, many privacy statutes including PIPEDA require data custodians to take reasonable care to keep personal information confidential. Would CNIL’s standards be applied here? Should they be?

Retweet information »

Comments

  1. David Collier-Brown

    The standard should be how hard the password is to guess, not whether it contains numbers, letters or funny characters.

    It’s trivial to populate a rainbow table with data to catch cutesy tricks like “always use ‘3’ for an ‘E'”, giving you a breach in exactly 0 seconds (after you spent a month creating the table).

    If the standard doesn’t codify what the cryptographers say, it’s a standard that *requires you* to create bad passwords. See Bruce Schneier and the XKCD cartoon at http://www.businessinsider.com/bruce-schneier-on-password-strength-2013-2

    And yes, I have encountered exactly that kind of enforced insecurity from various clients and employers. I give those people passwords from my “not ever to be used for anything real” collection (;-))

    –dave

  2. Hi Dave,

    The answers to your two questions are yes and yes. CNIL’s standards should definitely be applied here because they are more than reasonable. In other words, I do not think we need to dig too deep to conclude that a minimum password length of 5 characters cannot reasonably be considered secure, even in a context where a maximum number of failed logins is set at a fairly low number (no indication of this settings is provided in the article either way).

    Additionally, this penalty was applied based on the lack of 3 or 4 controls around passwords (i.e. not just the fact that minimum password length was only 5 characters). Back on the point of unreferenced reasonability, their assertion is that there is no doubt that the combination of these deficiencies places the data at risk. In other words, quantifying that risk is not necessary in light of the seriousness of these deficiencies. I suspect that the underlying message is that by allowing users to choose weak passwords organizations send the unfortunate message that security is not important and the protection of personal information is either not a priority or the PI itself is of low value. For this reason, individuals themselves should not be blamed for failing to hold their access in adequately high regard.

    Conveniently, their law clearly states that the organization in question is responsible for taking the necessary steps to protect data integrity and confidentiality. Controls need to be applied to the data and to the processing methods that impact it.

    As an aside, insofar as ‘privacy not being protected by short passwords’ goes, I would say – for the benefit of the general population – that privacy is a right, so it can technically only be protected by law. If we’re equating the term with ‘personal information’ in this case, then adequate access controls should be in place to protect it, but it is confidentiality controls that ought to provide assurance. I’m probably stating the obvious, but want to underline that the enforcement and hashing of passwords are two different preven(ta)tive controls and should certainly not be assumed to be inseparable for the purpose of authentication or otherwise.

    It would be unfair to generalize and say that Canadian organizations small and large suffer from a pervasive lack of such access controls, but the inconsistency with which they are applied places data at constant risk and complicates the task of conducting security assessments. So this kind of penalty would instantly set a baseline for the degree of rigor that is expected. While we may not necessarily need to spell out what is reasonable in every case, we are likely closer to agreeing on what is not reasonable.

    Virtually,

    Claudiu
    @datarisk