Password: the new guidelines of the National Cybersecurity Agency and the Italian Data Protection Authority.
When we were children, we used “passwords” in our games, imitating scenes from films or re-enacting fairy tales of places that only a select few could access.
We were asked for it with the arrogance and presumption of those who feel privileged, and we uttered the password with a certain excitement because we knew that if we had done nothing wrong, a door would open that would allow us to enter a forbidden space. A world that only the chosen few could enter, while everyone else remained outside.
A real magic word.
It was an old and simplified version of the passwords that we all know today and that allows us to access our 2.0 realities in which we are immersed daily. Places forbidden to all strangers and for which only we, and very few others, know the access key.
The problem is that this “game” which we are called upon to play constantly forces us to invent and remember, according to some research, an average number of 70-80 passwords to have access to all our devices, programs, applications, reserved areas of websites and everything that has now become indispensable for our lives. So, to overcome this continuous effort of creativity and memory, we often look for shortcuts: we use straightforward passwords such as sequences of numbers, names and dates of birth of children, partners, various relatives, or pets; or we use the same password for all the logins we need, or we write the passwords on sheets of paper that we then leave in plain sight.
In short, when it comes to passwords, which have the same value as the combination of the safe with our most precious assets inside, we do not yet afford them the importance they deserve and treat them with due consideration. On the other hand, according to the data, 50% of cyberattacks involve stolen access credentials because they are stored in inadequately protected databases with cryptographic functions.
It also seems that remote working has greatly aggravated the problem. According to a recent 2022 study, 62% of employees share passwords via SMS or email.
The same research demonstrates alarming statistics on password neglect, including the fact that 57% of respondents admitted to writing work-related online passwords on “post-it notes” and, among these, 67% said they had lost those notes.
The stolen data is used to enter entertainment sites (35.6%) illegally, social media (21.9%) and e-commerce portals (21.2%).
In other cases, they enable access to forums and websites of paid services (18.8%) and financial services (1.3%).
For all these reasons, the National Cybersecurity Agency and the Italian Data Protection Authority have developed specific guidelines on password storage, providing important guidance on the technical measures to be taken.
The guidelines are aimed at all companies and administrations that, as data controllers or processors, store the passwords of their users on their systems, which refer to many data subjects (for example, Spid or CieID digital identity managers, PEC managers, email service managers, banks, insurance companies, telephone operators, and health facilities), to parties who access databases of particular relevance or size (for example, employees of public administrations), or to types of users who habitually process sensitive or judicial data (for example, health professionals, lawyers, and officials).
This is an important measure also because it underlines once again the need to avoid underestimating the strategic role of passwords.
Even if you adhere to the new guidelines, however, you are not safe from the risks of cyberattacks because distraction is always around the corner and the highest risk factor always remains the human one. It is therefore essential to remain vigilant about your online actions and always maintain a high level of security, both in our private lives and in the companies or organisations in which we work.
For this reason, in addition to taking into account the new guidelines issued by the institutions, the best defence remains that of an adequate training course calibrated to the level of preparation of the individual and which, in addition to theoretical knowledge, includes exercises and continuous training, to put the acquired knowledge into practice.
The streets of the web are increasingly dangerous and when we decide to travel them (which is almost always the case nowadays), we must be sure to be protected in the appropriate way and ready to identify and repel any attack.
The guidelines, published in the Official Gazette, can be consulted on the websites www.gpdp.it and www.acn.gov.it.