Internal Password Policies with TimeTac
by Magdalena Fladl, 23.10.2020
When processing personal data, the company must ensure that only authorized people can access this data. How should passwords be designed to protect them from unauthorized access? Even with time tracking, access authorization should of course be based on secure user data. In this article, we will show you how you can create secure passwords and password policies in your TimeTac account.
Why should you secure passwords in your company?
Unfortunately, passwords are often designed way too simple or even written down. It is not unusual for passwords to be hacked by automatically generated systems or hackers. But this does not only have economic consequences. In the event of a data leak, the company also violates the GDPR guidelines, which can lead to heavy fines.
What does a password have to do with GDPR?
In a company, a large amount of data is processed, from customer and supplier to employee data. This personal data must be adequately secured and protected from access by unauthorized third parties throughout the EU in accordance with the provisions of the General Data Protection Regulation (GDPR) and supplementary national laws. Any violation of the protection of personal data must also be reported to the supervisory authority within 72 hours (Art. 34 and Art. 35 GDPR). Should the hacking have taken place despite appropriate data protection and password policies, you can rely on this and prove that you have taken all necessary measures.
What makes a good password?
With a secure password, you reduce the risk of data leakage through password hacking. Which password should I choose to make it secure? Which factors influence the quality of a password The challenge is fundamental: The authorized user should be able to remember the chosen password easily and for others, it should be as difficult as possible to find out what it is.
Strength and quality are defined as followed:
- the length (number of characters)
- the kind of characters e.g. lower case, upper case, numbers, and special characters (P@ssWord!)
- the word itself should not exist in a dictionary or lexicon
- the number of different passwords a user has
- the age of a password (since the last change)
Why does a company need password policies?
Not only a secure password is crucial, but above all a secure and responsible handling of passwords in the company is important to prevent unauthorized access. The company should develop concepts and password guidelines with its data protection officer. With a password policy, the protection of data in the company is considerably increased.
- Require the use of passwords: Every device used to access personal data must be secured with a password.
- Specify the requirements in the password policy that users must consider. Also, include a regular password change in the policy.
- Maintain security policies for networks and connections when passwords are transmitted. Data must not run unencrypted through foreign networks.
- This also applies to the storage of passwords: they should be encrypted and kept in a safe place.
- You can also list allowed password managers in your policy.
How to develop password policies within TimeTac
In your TimeTac account, you can make various settings to implement your company’s password policy in TimeTac. In the “Settings” menu, under “Account Settings” you will find all the important settings for account management. One area in the “Account Settings” folder is the “Passwords and User Name” section. Here you can define and set all the requirements for how passwords and user names should be designed in TimeTac.
As a TimeTac administrator, you can set guidlines for user names and passwords
You can define passwords and user names as followed:
Interval for change: With this setting you define how often the users have to change the password.
Maximum length: You can specify the minimum number of characters passwords must contain.
Minimum length, upper case, lower case, numerals, special characters: Determine the minimum number of uppercase letters, lowercase letters, number of numerals and special characters new passwords must contain.
Duration for reuse: This setting defines the minimum number of days that must elapse between the use of identical passwords.
Number of changes for reuse: This setting defines how many password changes must occur between the use of identical passwords.
Number of login attempts before lockout: This setting defines after how many failed login attempts the user will be locked
Usernames – minimum length: This setting defines the minimum number of characters required for new user names.