[Closed] Passwords: the CNIL launches a public consultation on its new recommendation

estimated reading time: 2 min

Many online services still use passwords for authentication. Thus, in a context of increased security threat, the Cnil updates its previous recommendation to offer professionals and individuals practical and up to date tools.

During the last four years the previous recommendations have been implemented by a large number of professionals and confronted with various situations. The Cnil has now the necessary hindsight to redefine the basic level of security that all controllers should offer when it comes to passwords.

This draft recommendation is currently subject to public consultation on the Cnil website until December 10^th, 2021.

This consultation should allow as many people as possible to contribute to our work on this daily used authentication method. While passwords are easy to implement, without any particular cost or specific equipment, their usage requires to consider many security elements to be effective and safe on overall.

What are the risks associated with poor Password management?

As a reminder, poor Password management puts users at risk with their personal data.

Passwords: the risks identified during its life cycle

What is the purpose of the recommendation submitted for public consultation?

As a soft law instrument, this recommendation intends to provide professionals, depending on their situation, with the min imum security measures (complexity, retention, renewal, etc.) to apply when using Password to grant access to personal data processing.

The draft recommendation addresses both general Password management policy issues and operational modalities related to the use of passwords. The Cnil provides operational advice by reviewing various use cases. The methods for storing and renewing passwords are also discussed.

Compared to the previous recommendation of 2017, this new project notably makes the following changes:

• the definition of a rule based on the degree of unpredictability of a Password (entropy) and not on the min imum Password length, to allow a freer implementation of strong Password policies;
• the abandonment of the obligation to renew passwords for classic user accounts (renewal is still required for accounts with “privileges”, ie of the administrator type or with extended rights);
• the introduction of a list of complex but well-known passwords and therefore to be avoided given the new attack patterns;
• the clarification of rules concerning the creation and renewal of passwords to guarantee security throughout the life cycle in the form of good practices (password manager, no recourse to obvious information).

Who can participate in the public consultation?

The Cnil wishes to allow as many people as possible to express their views on the work carried out: all actors (public, private or from the voluntary sector) concerned by the recommendation can make their observations known, whether or not they are security professionals.

What is the consultation deadline?

We invite you to give us your opinion on the draft recommendation until December 10^th, 2021.

The contributions will be analysed at the end of the consultation, to allow the publication of the final recommendation by the CNIL, on its website, at the beginning of 2022.

The consultation is over.