The CNIL has updated its recommendations concerning the password securityhere is what we can learn from it.
The National Commission for Computing and Liberties (CNIL) has published a new directive on securing passwords. While this is primarily aimed at companies, which are increasingly subject to data leaks and cyberattacks, the recommendations can also be applied by individuals.
What level of password complexity should I choose?
The CNIL has identified three cases, for which it has assigned different levels of entropy. It gives examples of passwords meeting the corresponding level of entropy.
- Password only: minimum of 12 characters (with uppercase, lowercase, number, special character) or minimum of 14 characters (with uppercase, lowercase, number).
- Mechanism for restricting access to the account after several authentication failures: minimum of 8 characters comprising 3 of the 4 character categories (uppercase, lowercase, number, special character) or minimum of 16 numbers.
- Equipment held by the person with blocking device after 3 authentication failures: minimum of 4 decimal digits.
We should add that the CNIL no longer recommends using additional information, such as the name of the parents, of a pet, or other personal data, to secure a password.
Never store passwords in plaintext
The CNIL also reminds that under no circumstances should passwords be stored in plain text. “ When authentication takes place on a remote server, and in other cases if technically feasible, the password must be transformed by means of a non-reversible and secure cryptographic function, incorporating the use of a salt or with a key adds the Commission, which cites the scrypt or Argon2 functions as password encryption solutions.
Reacting to this update of the CNIL’s recommendations, Me Alexandre Lazarègue, a specialist in digital law, also evokes the subject of biometrics as an authentication method. According to him, this involves risks, because if the biometric data falls into the wrong hands, they cannot logically be modified, unlike a password. This can lead to a ” compromise likely to lead to repeated identity theft “, according to the expert, who rather advises the use of complex passwords.
Source: Press release
Despite its flaws, the password is still the main key to accessing accounts and protecting sensitive data. It is still necessary to respect a few basic rules which appear as so many constraints. The two main ones are remembering and managing unique passwords. With a password manager, it’s no longer a headache. The offer is now very wide, here is our selection (updated July 2022).
Read more
38