South Korea plans to change six month password replacement rule

By Kuksung Nam, The Readable
Jun. 13, 2023 7:44PM GMT+9

The South Korean government is looking into relaxing a rule that requires personal information handlers to change their password every six months.

In a press release on Monday, the Office for Government Policy Coordination Prime Minister’s Secretariat stated that the password replacement rule was included among ten regulations selected as part of a campaign to root out unnecessary and inconvenient government policies. The South Korean government held a public survey from March 21 to April 20, which received 932 suggestions about inadequate regulations, and underwent a reviewing process from experts and government officials.

Under the public notice on personal information protection measures, personal information handlers must set an expiration date on their passwords and replace them more than once every six months. Although this rule does not apply to users, websites have requested users to abide by the same policy, as it was presented as one of the safety practices in privacy manuals. The South Korean government explained that this could lead managers and users to experience difficulties in remembering multiple passwords and put security at risk if they wrote their confidential information on their smartphones.

According to the Personal Information Protection Commission (PIPC), there are multiple views around password policy, with some believing that frequent changes could induce users to set easier passwords, impacting the safety of confidential information. The PIPC shared the National Institute of Standards and Technology (NIST) digital identity guidelines, which states verifiers should not require memorized secrets to be changed periodically, however they should force a change “if there is evidence of compromise.”

“We are looking into revising the mandatory password replacement policy,” said an official of new technologies for personal information division at PIPC to The Readable. “Companies have different personal information managing environments. We are seeking ways that could enable those in charge to establish their own password setting rules and replacement periods.”

The cover image of this article was designed by Sangseon Kim.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.