[Closed] Passwords: the CNIL launches a public consultation on its new recommendation

18 November 2021

Passwords remain the most popular authentication method. The CNIL is updating its 2017 recommendation to consider the new state of the art and help organizations guaranteeing the necessary level of security. This new version is subject to public consultation until December 10th, 2021.

Many online services still use passwords for authentication. Thus, in a context of increased security threat, the CNIL updates its previous recommendation to offer professionals and individuals practical and up to date tools.

During the last four years the previous recommendations have been implemented by a large number of professionals and confronted with various situations. The CNIL has now the necessary hindsight to redefine the basic level of security that all controllers should offer when it comes to passwords.

This draft recommendation is currently subject to public consultation on the CNIL website until December 10th, 2021.

This consultation should allow as many people as possible to contribute to our work on this daily used authentication method. While passwords are easy to implement, without any particular cost or specific equipment, their usage requires to consider many security elements to be effective and safe on overall.

According to a 2021 Verizon study, 81% of global data breach notifications imply a password issue. In France, around 60% of 2021 notifications are related to hacking and most of them could have been avoided if best practices on password had been implemented.

What are the risks associated with poor password management?

As a reminder, poor password management puts users at risk with their personal data.

What is the purpose of the recommendation submitted for public consultation?

As a soft law instrument, this recommendation intends to provide professionals, depending on their situation, with the minimum security measures (complexity, retention, renewal, etc.) to apply when using password to grant access to personal data processing.

The draft recommendation addresses both general password management policy issues and operational modalities related to the use of passwords. The CNIL provides operational advice by reviewing various use cases. The methods for storing and renewing passwords are also discussed.

Compared to the previous recommendation of 2017, this new project notably makes the following changes:

  • the definition of a rule based on the degree of unpredictability of a password (entropy) and not on the minimum password length, to allow a freer implementation of strong password policies;
  • the abandonment of the obligation to renew passwords for classic user accounts (renewal is still required for accounts with “privileges”, ie of the administrator type or with extended rights);
  • the introduction of a list of complex but well-known passwords and therefore to be avoided given the new attack patterns;
  • the clarification of rules concerning the creation and renewal of passwords to guarantee security throughout the life cycle in the form of good practices (password manager, no recourse to obvious information).

Who can participate in the public consultation?

The CNIL wishes to allow as many people as possible to express their views on the work carried out: all actors (public, private or from the voluntary sector) concerned by the recommendation can make their observations known, whether or not they are security professionals.

What is the consultation deadline?

We invite you to give us your opinion on the draft recommendation until December 10th, 2021.

The contributions will be analysed at the end of the consultation, to allow the publication of the final recommendation by the CNIL, on its website, at the beginning of 2022.

The consultation is over.