General Data Protection Regulation password policy

What is the GDPR?

The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) in April 2016. It was passed as a replacement for an outdated data protection directive from 1995. The GDPR focuses on regulations to properly collect, store, transmit, and handle EU citizens' personal and sensitive data both within the EU member states and outside the EU. Companies handling such sensitive data must ensure compliance with the GDPR regulations that are discussed below.

What are the GDPR password requirements?

The following are the GDPR password requirements:

1. The minimum password length should be eight characters
2. Old passwords must not be repeated
3. Passwords should not contain personal information or dictionary words
4. Passphrases are recommended for passwords
5. Passwords should contain at least one character from each of the four-character categories
6. Passwords should never be stored in plain text but should be encrypted using strong encryption algorithms
7. Users must be authenticated with MFA techniques

Make your organization GDPR-compliant with ADSelfService Plus

ADSelfService Plus offers effective password policy settings that can help your organization comply with the above GDPR password requirements. You can create a custom password policy over the built-in AD password policies and enforce it on all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus' Password Policy Enforcer offers:

1. Ban weak passwords: Block leaked or weak AD passwords, patterns, and palindromes.
2. Set a custom password length: Make longer passwords mandatory by specifying the minimum password length.
3. Enforce password history: Ensure password strength by enforcing password history rules during native password resets in the Active Directory Users and Computers console.
4. Ensure password complexity: Allow users to use Unicode characters in their passwords in addition to uppercase, lowercase, special, and numeric characters.
5. Mandate MFA for users: Secure user access to resources by enabling MFA for machines, applications, VPNs, RDPs, and OWAs. Choose from a range of 19 different MFA authenticators to verify users' identities.

Benefits of using ADSelfService Plus to comply with the GDPR mandates

• Increased password security: Enforce passphrases, and restrict consecutively repeated characters and common character types from passwords. Enable the Password Strength Analyzer to give users instant visual feedback on password strength when they change or reset their AD passwords.
• Fine-grained flexibility: Create different password policies for different users in the organization accessing different levels of sensitive data, depending on the OUs or groups that they belong to.
• Advanced MFA techniques: Implement adaptive MFA techniques, like conditional access and customizable trust options, to authenticate users based on their location, IP address, and device type.
• Compliance with regulatory standards: Ensure that your organization complies not only with the GDPR standards but also with NIST SP 800-63B, PCI DSS, CJIS, and SOX compliance mandates.

Some other benefits of ADSelfService Plus - Self Service Reset Password Management