DATA PROTECTION
Italian Data Protection Authority and Cybersecurity Agency: Guidelines for cryptographic storage of passwords approved.
Passwords play a crucial role in protecting people's lives in the digital world. And it is precisely with the aim of raising the level of security, both of digital service providers and software developers, that the Agency for National Cybersecurity (ACN) and the Garante per la protezione dei dati personali (Garante for the protection of personal data) have developed specific guidelines on password storage, providing important indications on the technical measures to be taken.
Many personal data breaches are in fact closely linked to how passwords are protected. All too often, identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions.
Such cyber attacks exploit the bad habit of users to use the same password to access different online services, with the consequence that compromising the authentication credentials of a single service could lead to unauthorised access to multiple systems. Industry studies show that the theft of usernames and passwords enables cyber criminals to commit numerous frauds against victims. Stolen data are used to illegally enter entertainment sites (35.6%), social media (21.9%) and e-commerce portals (21.2%). In other cases, they allow access to forums and websites of paid services (18.8%) and financial (1.3%).
The Guidelines are addressed to all businesses and administrations that, in their capacity as data controllers or data processors, store the passwords of their users on their systems, which refer to a large number of data subjects (e.g. SPID or CieID digital identity managers, PEC managers, e-mail service managers, banks, insurance companies, telephone operators, healthcare facilities, etc.), to subjects accessing the websites of their users, and to users accessing the websites of their users. ), to subjects accessing databases of particular relevance or size (e.g. employees of public administrations), or to types of users who habitually process sensitive or judicial data (e.g. healthcare professionals, lawyers, magistrates).
The objective of the Guidelines is to provide recommendations on the cryptographic functions currently considered the most secure for storing passwords, so as to prevent authentication credentials (usernames and passwords) from being hacked and ending up in the hands of cyber criminals, to be put online or used for identity theft, ransom demands or other types of attacks.
(Source: Data Protection Authority Press Release - Ownership of contents: Data Protection Authority)
Many personal data breaches are in fact closely linked to how passwords are protected. All too often, identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions.
Such cyber attacks exploit the bad habit of users to use the same password to access different online services, with the consequence that compromising the authentication credentials of a single service could lead to unauthorised access to multiple systems. Industry studies show that the theft of usernames and passwords enables cyber criminals to commit numerous frauds against victims. Stolen data are used to illegally enter entertainment sites (35.6%), social media (21.9%) and e-commerce portals (21.2%). In other cases, they allow access to forums and websites of paid services (18.8%) and financial (1.3%).
The Guidelines are addressed to all businesses and administrations that, in their capacity as data controllers or data processors, store the passwords of their users on their systems, which refer to a large number of data subjects (e.g. SPID or CieID digital identity managers, PEC managers, e-mail service managers, banks, insurance companies, telephone operators, healthcare facilities, etc.), to subjects accessing the websites of their users, and to users accessing the websites of their users. ), to subjects accessing databases of particular relevance or size (e.g. employees of public administrations), or to types of users who habitually process sensitive or judicial data (e.g. healthcare professionals, lawyers, magistrates).
The objective of the Guidelines is to provide recommendations on the cryptographic functions currently considered the most secure for storing passwords, so as to prevent authentication credentials (usernames and passwords) from being hacked and ending up in the hands of cyber criminals, to be put online or used for identity theft, ransom demands or other types of attacks.
(Source: Data Protection Authority Press Release - Ownership of contents: Data Protection Authority)
