Improve Compliance by Improving Password Security

by | Sep 14, 2022

Let us imagine the following scenario: In an effort to improve data security and conform with GDPR requirements, a small to medium sized business decides to implement a new policy of password protection; new passwords are to be issued to each employee on a weekly basis.

On the face of it, this offers a very high level of security. Regular modification of staff passwords in theory means that accounts are more difficult to hack, thereby protecting the personal data of the company’s clients, suppliers and the staff themselves. Is such a policy practical however?

The (theoretically) high level of security that regular password changes offer also has some significant disadvantages that may well outweigh the benefits. Constant changing of passwords can result in confusion among staff leading to a drop in productivity, perhaps due to human error in the form of forgetting a new password which in turn may place an undue burden on the company’s IT department. The said IT department, in addition to its everyday duties, may now have to regularly deal with numerous password related connection problems!

Worse, some employees have been known to circumvent the risk of forgetting the weekly password by simply writing it on a post-it note which is then stuck to their workstation and is therefore visible to any person who enters the office space (customers, suppliers, delivery workers, cleaners, etc.)! Clearly, this defeats the whole point of changing passwords in the first place.

Assess the risk

A business which finds itself in such circumstances needs to be honest and realistic. Firstly one needs to evaluate the risk involved. For some, smaller, non-tech specialist businesses which do not regularly handle sensitive personal data, a high-level of security involving regular password changes may not be all that necessary, and if imposed on an aging non-IT savvy workforce it may in fact prove to be counterproductive.

Most businesses will recognise, however, that a lower standard of data security really isn’t an option. If your enterprise falls into this category a reliable password manager such Bitwarden is undoubtedly the best option.

What is a password manager?
For the benefit of the uninitiated, password managers facilitate the generation, storage, and retrieval of passwords from an encrypted database. The majority of password managers function in the same manner. The user will be required to provide a strong master password during the setup process. This should entail best password practices, e.g. the creation of a long passphrase using numbers, capitals, lower-case letters and symbols while avoiding any guessable personal information). At this point, users add other credentials to the password manager either manually or via tools which automatically find and upload passwords.
Essentially, a password manager makes it simple to remember a single password, and yet benefit from long, unique passwords for each account that needs protection. This is possible due to the use of a secure password “vault” which is opened via just one password. From the vault, login forms on all of the devices concerned can quickly be filled out.

Which password manager should I choose?

There are a number of reputable firms which can provide a secure and reliable service, but if forced to choose, here at ComplianceJunction we are happy to recommend Bitwarden. As one would expect, Bitwarden enables users to sync their passwords across all relevant devices using a common password vault. It also boasts browser extensions that permit users to automatically enter passwords in their browser. The best part is that Bitwarden is free! Additionally, and for only $10 per year, some extra features, such as encrypted file backups, are available.

Can a password manager be hacked?
The simple answer to this question is yes. Despite offering a considerable amount of security, a password manager can indeed be hacked. In August 2022 for example, the CEO of password manager LastPass confirmed that his company had recently been hacked, albeit that there was no evidence the incident had exposed any customer personal data or passwords.

Nonetheless, such hacking cases must be viewed in perspective: while a small risk of hacking remains, one must recognise that the correct use of a reputable password manager significantly mitigates the risk of a data breach.

The reality of data gathering, storage, and treatment is that achieving 100% security is in all likelihood impossible. Each business must, however, strive for the greatest level of security that they can realistically achieve. Given that Bitwarden is free to use and offers an excellent level of reliable security, it seems foolish not to avail of it.

Related GDRP Articles

GDPR Compliance Checklist


GDPR for US Companies

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection. He is an expert on data privacy and GDPR. You can contact Eoin via LinkedIn

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy