Know and understand user id and password including how they are used to increase the security of data

Safety and Security – User ID and Password

1. Data‑Protection Legislation (UK DPA & GDPR)

The Data‑Protection Act 2018 (UK) and the General Data‑Protection Regulation (GDPR) require organisations to protect personal and sensitive data. Key obligations include:

  • Lawful, fair and transparent processing – data must be handled in a way users can understand.

  • Security of processing – appropriate technical and organisational measures (e.g., strong passwords, encryption) must be used to prevent unauthorised access.

  • Accountability – organisations must be able to demonstrate that they have complied with the legislation (audit‑trail, regular reviews of security policies).

Secure login credentials (user ID + password) are a fundamental part of meeting these legal requirements.

2. What Is a User ID?

A user ID (also called a username or login name) is a unique identifier that distinguishes one account from another on a computer system, network or online service.

  • Chosen by the user or assigned by an administrator.

  • Visible on the login screen; it does not need to be secret.

  • Should avoid personal details that could be guessed (e.g., full name, birth‑date).

3. What Is a Password?

A password is a secret string of characters known only to the account holder. It is used together with the user ID to verify identity.

  • Must be kept confidential – never shared or written in an insecure place.

  • Stored by the system in a hashed (one‑way) and usually salted form.

  • Combined with the user ID, it forms the primary “something you know” factor of authentication.

4. Personal and Sensitive Data

In the context of the UK DPA/GDPR:

  • Personal data – any information that can identify a living individual (name, address, email, IP address, etc.).

  • Sensitive data – special categories such as health information, racial or ethnic origin, religious beliefs, biometric data, or financial details.

  • Both types must be kept confidential, processed lawfully, and protected with appropriate security measures.

5. How User ID and Password Increase Data Security

  1. Authentication – The system checks that the entered user ID and password match the stored credentials.

  2. Access control – After successful authentication, the system grants only the permissions associated with that account.

  3. Audit‑trail – Every action is logged under the user ID, enabling traceability and detection of misuse.

  4. Barrier to unauthorised access – Without the correct password (or second factor), an intruder cannot log in even if they know a valid user ID.

6. Threats to Login Credentials (Syllabus 8.3)

ThreatHow It Affects Credentials
PhishingFake emails/websites trick users into entering their user ID and password.
SmishingSMS messages contain links to counterfeit login pages.
VishingPhone calls persuade users to reveal credentials verbally.
PharmingDNS or hosts‑file manipulation redirects users to a fraudulent site that captures login details.
Brute‑force attacksAutomated tools try many password combinations until one works.
Keyloggers & malwareMalicious software records keystrokes or reads stored passwords.
Social engineeringManipulation of people to obtain passwords or security answers.
Hacking (credential‑stealing)Exploits in software or databases expose stored password hashes.
Viruses & other malwareCan install back‑doors that capture login data or disable security controls.
Card‑fraud (online)Compromised login pages harvest both payment details and credentials.

7. eSafety Behaviours (Internet, Email, Social Media, Gaming)

  • Never share your password or user ID with anyone, even friends.

  • Check the URL (look for “https://” and a padlock) before entering credentials.

  • Log out of public or shared computers; never use “remember me” on such devices.

  • Be wary of unsolicited messages that ask for login details.

  • Use strong, unique passwords for each online game, social‑media account, or email service.

  • Enable privacy settings that limit who can see personal information that could be used in attacks.

8. Technical Safeguards Supporting User ID & Password Security

SafeguardPurpose & How It Helps
Encryption (at rest & in transit)Transforms data into unreadable form; protects passwords stored on disks and data sent over networks (e.g., HTTPS).
SSL/TLS & Digital certificatesCreates a trusted, encrypted link between client and server; certificates verify the server’s identity.
Firewalls (network & host)Block unauthorised traffic, reducing the chance of remote attacks that aim to capture credentials.
BiometricsPhysical traits (fingerprint, facial recognition) provide an additional factor beyond the password.
Two‑Factor Authentication (2FA) / Multi‑Factor Authentication (MFA)Requires a second verification step (e.g., one‑time password, authenticator app). 2FA = exactly two factors; MFA = two or more factors.

9. Password‑Related Concepts (Syllabus 8.3)

  • Hashing & salting – Passwords are stored as a hash value. Example using SHA‑256:

    stored_hash = SHA‑256( password + salt )

    The original password cannot be recovered from the hash; the salt prevents rainbow‑table attacks.

  • Account lock‑out – After a set number of failed attempts (e.g., 5), the account is temporarily disabled (e.g., 15 minutes) to stop brute‑force attacks.

  • Password‑reuse limits – Users must not reuse the last 5 passwords.

  • Password‑recovery mechanisms

    • Secure methods: one‑time link sent to a verified email, temporary code via SMS or authenticator app.

    • Pitfalls of security questions: avoid answers that are publicly known or can be guessed.

  • Password managers – Reputable tools (e.g., Bitwarden, LastPass) generate, store and auto‑fill complex passwords, reducing the temptation to reuse or write them down.

10. Characteristics of a Strong Password

A strong password is hard to guess or crack. It should meet all of the following criteria:

  • Minimum length of 12 characters (longer is better).

  • Mix of uppercase, lowercase, numbers and symbols.

  • No dictionary words, personal names, birth dates, or common patterns (e.g., “123456”, “qwerty”).

  • Unique for each account – never reuse across different services.

11. Password Policy Checklist (AO2 – Create a Policy)

RequirementDetails
Minimum length≥ 12 characters
Character typesUppercase, lowercase, numbers, symbols
Prohibited contentNo personal information, dictionary words, or sequential patterns
ExpirationEvery 90 days or after a confirmed breach
Reuse restrictionCannot reuse the previous 5 passwords
Lock‑out policyAccount locked after 5 failed attempts for 15 minutes
RecoveryVerified email or authenticator app; avoid easily guessed security questions
MFA requirementEnabled for all privileged or remote‑access accounts

12. Example of a Strong Password

V3r!$t1c@l#2024

Explanation:

  • 16 characters (≥ 12)

  • Upper‑case V, lower‑case ertical

  • Numbers 1, 2, 0, 4

  • Symbols ! $ @ #

  • No dictionary word or personal data.

13. Simple MFA Workflow (Two‑Factor Example)

Flowchart – login with password + OTP (one‑time password)

User → enters User ID & Password
System → verifies hash (Password + Salt)
├─ If mismatch → Access denied
System → sends OTP to registered device (SMS / Authenticator app)
User → enters OTP
├─ If OTP correct → Access granted
If OTP incorrect → After 3 tries → Account lock‑out

14. Summary

Secure login credentials are a cornerstone of data protection under the UK DPA and GDPR. By using unique user IDs, strong passwords, and additional safeguards such as hashing, salting, encryption, firewalls and multi‑factor authentication, individuals and organisations can:

  • Authenticate users reliably.

  • Control who can access which data.

  • Maintain an audit‑trail for accountability.

  • Mitigate a wide range of threats (phishing, malware, hacking, etc.).

  • Demonstrate compliance with legal requirements and good eSafety practice.

Applying the password‑policy checklist, using a reputable password manager, and following safe online behaviours will help learners meet the Cambridge IGCSE 0417 objectives and protect personal and sensitive information.