Category: Security
Author: Sally-Ann van Nuland, Edwin van Wijngaarden


Almost everything we do and register is done online. Tax returns, banking, making an appointment at our municipality, booking a holiday or simply ordering a new TV. There is one thing that all the prior actions have in common. You need a online membership in some sort. This membership includes you personal data and everytime you want to plan, shop or bank you need to prove that it is really you by using you e-mailaddress or username in combination with a password. And we have all been there, the forgotten password, sending a new link to your e-mail, creating a new one. Sometimes this hassle and the continuous logging in can be a big frustration.

Do you recognize this pop up: Use at least one capitol letter, one digit, one mark, while creating a password? Sure you do, but where did this came from?

Last weekend an article appeared: Inventor of the strict password demands regrets his recommendations. Within this article Bill Burr, appointed inventor, wrote an advice report for the National Institute of Standards and Technology (NIST) known as “NIST Special Publication 800-63. Appendix A.”  Within this report he stated that people should use as much variety in a password as possible. A tip was using capitol letters, digits and marks another one was changing your passwords regularly.

A lot of organizations, among which government institutions, but also commercial businesses followed his advice. The password demands resulted in creative inventions such as initials with a date of birth, or a home address with an exclamation mark. When the password needed to be changed people mostly just changed one or two characters. This made is sometimes easy to figure out. According to experts now, it is better to have a long but logical password, that is easy to remember. A password with four random words summed up is much harder to guess than your birthday.

Even though we know this now it seems unlikely that we will pick up this new advice. The vision of Bill Burr is imbedded in a lot of systems, this makes it hard to adjust. Furthermore a lot of our customers still want to have the demands that Bill wrote down. In SAP systems as well. The report that Burr has created is still available in the archives of NIST. However there have been some changes over the years which are pointed out. More and more options have become available. Think of sending personal codes as a SMS to double check if you are who you say you are online.

Next to the fact that people are individually responsible for the safety of their personal date, an organization or company has to take responsibility too. If the password is easy to contrive it doesn´t make sense to have a password at all. Personal data is being collected to easily and often lately to not take measurements.

Fortunately rules are being adjusted and requirements are being set. With the GDPR coming up more and more data will be seen as a part of this privacy law. One part of this law is set up to create more transparency when it comes to data leaks. One of the new rules oblige companies to communicate data leaks within 72 hours to the controller and if necessary to the people involved. Furthermore there need to be a register with the following:

  • Contact details
  • The goals of having the data
  • A description of the stakeholders (in groups)
  • The receivers of the data
  • A description of precautions that have been taken
  • The intended time the data will be saved

The register isn’t mandatory for organizations with less than 250 employees. With the exception of companies which process personal details on a regular base or when this is risky in any way.

Even though the security of data has got its many technical traps one conclusion couldn’t be more clear as well as organizations, individuals should be careful with their details too. 

Graag meer advies over Security?

Enter your e-mail address and Oliver IT will contact you as soon as possible!

Done! We will contact you soon!
Robin Schutten Sales
Robin Schutten