There is no universal definition of a good password, but it should be hard to guess. For this, we can play with it complexity and its length to reduce the risk of success of a cyber attack that would consist in testing many passwords in succession (the so-called brute force attack).
Changes to the recommendation from 2017
Compared to the previous 2017 recommendation, the new recommendation makes the following changes in particular:
- The recommendations are aimed at the degree of complexity of the password (entropy) and not at a minimum length, giving you more freedom in defining strong password policies that are suitable for use cases.
- Removal of the use case based on secret information as a measure to lower password security requirements (case 3 of the 2017 recommendation).
- Abandoning the obligation to renew passwords for classic user accounts (renewal is still required for “privileged” accounts, that is, of the administrator type or with extended rights).
- The introduction of a list of complex but known passwords and therefore to be avoided given the new attack patterns.
- Details on the rules relating to the creation and renewal of passwords to ensure a constant level of security throughout the life cycle of the password, in the form of best practices (password manager, no use of obvious information).
Valuable contributions from professionals and the general public
The CNIL launched a public consultation on its draft new password recommendation in October 2021.
The responses received, of high quality, confirmed the main orientations of the project, considered relevant (by 96% of the interviewees). The proposed safety level was also considered satisfactory by 84.3% of the interviewees.
The feedback helped mainly to clarify and explain the CNIL recommendations, but also to complement the project with further good practices. Finally, they prompted the CNIL to no longer recommend a use case, which was deemed too weak.
The main recommendations of the CNIL
Password authentication: guessability or entropy
Entropy from today
To verify the strength of a password, in the current state of the art, it is necessary to rely on the definition of complexity and length criteria. A password policy is defined for each information system, or for each processing of personal data. This policy outlines the criteria that must be met for a password to be “acceptable” on this system. The 2017 recommendation defined thresholds in terms of the number of characters and complexity of each password. However, this definition lacked flexibility, hence the introduction of the concept of “entropy” to be able to compare the robustness of different password policies.
“Entropy” can be defined in this context as the quantity of possibilities. For a password or cryptographic key, this corresponds to its degree of theoretical unpredictability, and therefore to its ability to withstand a brute force attack. Here the term of entropy, applied to a password, corresponds to its ideal entropy starting from the assumption that it would be generated randomly, knowing that any rule for constructing a password necessarily leads to limit the space of possible choices, and therefore to limit its entropy for a given length. For example, the choice of a password among the words of a language is reduced in practice to severely limit the number of possible combinations of letters. Each language, in fact, admits only a limited number of sequences of letters, used to form the syllables of words. The temptation for many users to choose “easy to remember” passwords facilitates so-called “dictionary” attacks, in which, instead of brute-force testing all possible combinations, only a very limited number are tested, including dictionary words or nouns, as well as their “classical” derivations (for example, of the word “kangourou”, combinations such as “k4ng0urou”, “kangourou01”, “KaNgOuRoU”, etc. will be derived and tested.
In this case, this principle allows us to define a generic minimum level of 80 bits of entropy for a password without additional measures and to leave everyone free to define their own password policy. Therefore, the following three examples are equivalent in terms of entropy and all meet the recommendations of the new recommendation :
Example 1 : passwords must be composed of at least 12 characters between upper and lower case letters, numbers and special characters to be chosen from a list of at least 37 possible special characters.
Example 2 : Passwords must consist of at least 14 characters between upper and lower case letters and numbers, without the need for special characters.
Example 3 : a passphrase consisting of at least 7 words must be used.
The notion of “predictability” is a new approach to determining the strength of a password. It consists in evaluating, through dedicated algorithmic processing, the ease for an opponent to recover a certain password. It is therefore not a question of verifying compliance with a password policy by setting a minimum formal complexity, but of dynamically assessing the strength of the chosen password.
The literature on the subject recommends a minimum attack resistance of 1014 evidence. However, at the time of publication of these recommendations, the tools to implement this method, a priori more reliable than simple complexity verification, are not yet available for French-speaking users: the CNIL therefore does not currently have the necessary experience to determine the resistance level equivalent to the levels described in this recommendation.
It will be attentive to new developments in this area, in particular as regards the availability of freely accessible solutions that it will be able to evaluate.
Three equivalent level password policies
The CNIL has identified 3 different cutting-edge use cases for using passwords that are associated with different minimum levels of entropy:
- authentication with “simple” password;
- the case in which measures are implemented to limit the risks of online attacks;
- and finally the case of the hardware unlock code.
The following table lists the 3 cases of password authentication identified by the CNIL in its new recommendation. Access control should be based on stronger rules depending on the risks to which the system is exposed.
|Example of use||Minimum entropy||Complementary measures|
|password only||Forum, blog||80||Advise the user for a good password|
|With access restriction (the most common)||E-commerce sites, business accounts, webmails||50||
Account access restriction mechanism: (examples)
|With equipment owned by the person||Credit card or telephone||13||
Person-owned material (e.g. SIM card, credit card, certificate)
Blocked after 3 failed attempts
Interruption of the periodic renewal of passwords
More and more studies show that forcing the user to change their password on a regular basis is not a really effective measure. The strategies used by users to adapt to password expiration policies are generally predictable and lower the actual level of security. In fact, most attendees use a slightly modified version of the previous password, such as adding a number at the end. The security benefits are therefore minor and largely offset by the negative user experience.
Therefore, more and more national cybersecurity agencies are changing their recommendations in this area by stopping recommending a periodic password change for standard users, or even recommending that they refrain from requiring such a change. Notably, ANSSI adopted this new position in 2021 in its “Tips for Multi-Factor Authentication and Passwords” guide which the CNIL co-signed.
The recommendation therefore follows this change by recommending that this periodic change is no longer required except for administrative accounting. Keep in mind that the risks associated with logging into a privileged account often require stronger authentication than just password authentication.
Passwords it must never be stored away from light. When authentication takes place on a remote server, and in other technically feasible cases, the password must be transformed using an irreversible and secure cryptographic function, which involves the use of a salt or a key. There are now specialized functions that meet this need, such as scrypt or Argon2, cited by ANSSI.
What to do if there is a risk of password compromise?
If a controller detects a data breach in relation to a person’s password:
- the data controller must notify the CNIL within a period not exceeding 72 hours;
- must oblige the user concerned to change his password at the next connection;
- must recommend changing his passwords for other services, in case he used the same password for them.
What are the risks for organizations that do not guarantee an adequate level of data security?
Violations already observed frequently and an adequate repressive response
The CNIL can check, on the basis of a complaint received or on its own initiative, any data controller, remotely, online, on documents or on the premises of the body concerned. In case of serious violations of the principles of security, it can therefore mobilize its entire repressive chain and inflict penalties of up to 4% of world turnover or € 20,000,000.
Remember that violations related to password policies were among the most frequently observed violations during its audits in 2021; these deficiencies could lead to data breaches with sometimes significant consequences for individuals.
A period of adaptation in a specific case
Following the public consultation carried out on the draft recommendation, the CNIL decided to cancel one of the cases recommended in 2017 (password reinforced by additional information), which is therefore no longer recommended by the CNIL, to follow the opinion of the majority of respondents to the consultation. In fact, many practitioners felt that this use case did not allow for a level of security equivalent to the other recommended cases.
The CNIL therefore invites data controllers who use this authentication method to change their password policy, and will take into account the time necessary to implement these changes.