Skip to main content

Data Protection Hero: Congratulations on choosing a password that isn't just your dog's name

·3 mins
Data Protection Awareness Security Passwords Data Protection Hero

Weak passwords are one of the most common entry points for unauthorised access to personal data. Using a pet’s name, a child’s birthday, or a word that appears in a dictionary gives attackers very little work to do. Choosing something harder to guess is a small decision with a disproportionately large impact on data security — and under GDPR Article 32, companies are expected to apply appropriate technical and organisational measures to protect personal data. A strong password policy is exactly that.

Data Protection Hero — Congratulations on choosing a password that isn’t just your dog’s name

Weak passwords are one of the most common ways that accounts get compromised, and pet names are near the top of the list. They are easy to guess, often shared on social media, and feel personal enough that people assume no one else would think of them. Someone would think of them. You have chosen something else. This is noted.

Why it matters more than you think #

A weak password is not just a personal risk — it is a business one. If your account is compromised because your password was guessable, the consequences extend to every system you have access to. That can include HR records, customer data, financial information, or health records belonging to colleagues. The person whose data is exposed did not choose your password. They had no say in the matter at all.

And don’t forget passwords for your personal devices, applications and services.

Data protection authorities across Europe have cited inadequate access controls — including poor password practices — in enforcement actions. The Norwegian Data Protection Authority (Datatilsynet) and others have made clear that credential security is a baseline expectation under the GDPR, not an advanced requirement.

The practical fix #

A strong password is long, random, and unique to each account. The most practical way to achieve this is a password manager, which generates and stores complex passwords so you do not have to remember them. Most companies now have one available to staff — if yours does not, it is worth raising.

For companies, the stronger approach is to enforce password complexity requirements and multi-factor authentication (MFA) through identity management systems. MFA means that even a compromised password alone is not enough to gain access. That removes the single point of failure that a weak password creates.

Frequently Asked Questions #

Is a strong password a GDPR requirement? GDPR Article 32 requires appropriate technical and organisational measures to protect personal data. Password policies are widely regarded by Supervisory Authorities as a baseline access control measure. A company that relies on users choosing their own passwords with no complexity requirements would struggle to demonstrate compliance in an enforcement context.

Why is a pet’s name a bad password? Pet names are predictable, publicly available — often on social media — and appear frequently in the dictionary lists that automated attack tools use first. A name that feels personal to you is, statistically, one of the first things an attacker will try.

What makes a password genuinely strong? Length matters more than complexity. A password of 16 or more random characters is significantly harder to crack than a short one with symbols added. A password manager generates and stores these for you, removing the need to remember them. Using a unique password for each account ensures that a breach in one system does not cascade into others.

#DataProtectionHero

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts