The South Korean government is considering revising the regulation that mandates personal information handlers to change their passwords every six months. As part of an initiative to eliminate unnecessary and inconvenient policies, the Office for Government Policy Coordination Prime Minister’s Secretariat identified the password replacement rule among ten regulations targeted for review.
A public survey was conducted from March 21 to April 20 to gather feedback, resulting in 932 suggestions on inadequate regulations, which were evaluated by experts and government officials.
In line with these developments, the Personal Information Protection Commission (PIPC) has issued a legislative notice for the proposed amendment to the Enforcement Decree of the Personal Information Protection Act.
The amendment is scheduled to take effect on September 15, 2023, following a 40-day legislative notice period from May 19 to June 28, 2023. This amendment will be implemented alongside the amended Personal Information Protection Act to enhance data privacy regulations.
The current rule on personal information protection measures mandates personal information handlers to set an expiration date for their passwords and replace them more frequently than every six months.
While this requirement does not extend to users directly, websites have encouraged users to follow the same practice as part of privacy manuals’ safety guidelines. However, the South Korean government acknowledges that this approach can pose challenges for managers and users, as it may lead to difficulty remembering multiple passwords and increase the risk of compromising confidential information stored on smartphones.
The Personal Information Protection Commission (PIPC) has observed diverse perspectives regarding password policies. Some argue that frequent password changes could incentivize users to select weaker passwords, jeopardizing sensitive information security.
In support of this view, the PIPC has referenced the digital identity guidelines provided by the National Institute of Standards and Technology (NIST), which recommend that verifiers should not enforce regular changes of memorized secrets. Instead, they should only require a password change in cases where evidence of compromise exists.
In response to the concerns raised regarding the mandatory password replacement policy, the Personal Information Protection Commission (PIPC) is actively considering revisions. An official from the PIPC’s new technologies for personal information division highlighted the need for flexibility, acknowledging that different companies operate in diverse personal information management environments. The aim is to establish a framework that allows responsible parties to define their own password rules and determine suitable replacement periods based on their specific requirements.
