La Privacy e Cybersec per le aziende
Osservatorio a cura del dott. V. Spataro 

Milano, sab 2 dicembre 2023:, Social media non vi temo - Ascolti tra Marketing e AI

   documento 2023-01-28 ·  NEW:   Appunta · Stampa · pdf

[Closed] Passwords: the CNIL launches a public consultation on its new recommendation


Documento annotato il 28.01.2023 Fonte: GPDP


L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni



  • had been implemented.
  • , 2021.
  • The contributions will be analysed at th



estimated reading time: 2 min

Many online services still use passwords for authentication. Thus, in a context of increased security threat, the Cnil updates its previous recommendation to offer professionals and individuals practical and up to date tools.

During the last four years the previous recommendations have been implemented by a large number of professionals and confronted with various situations. The Cnil has now the necessary hindsight to redefine the basic level of security that all controllers should offer when it comes to passwords.

This draft recommendation is currently subject to public consultation on the Cnil website until December 10th, 2021.

This consultation should allow as many people as possible to contribute to our work on this daily used authentication method. While passwords are easy to implement, without any particular cost or specific equipment, their usage requires to consider many security elements to be effective and safe on overall.

According to a 2021 Verizon study, 81% of global data breach notifications imply a Password issue. In France, around 60% of 2021 notifications are related to hacking and most of them could have been avoided if best practices on Password had been implemented.

What are the risks associated with poor Password management?

As a reminder, poor Password management puts users at risk with their personal data.

What is the purpose of the recommendation submitted for public consultation?

As a soft law instrument, this recommendation intends to provide professionals, depending on their situation, with the min imum security measures (complexity, retention, renewal, etc.) to apply when using Password to grant access to personal data processing.

The draft recommendation addresses both general Password management policy issues and operational modalities related to the use of passwords. The Cnil provides operational advice by reviewing various use cases. The methods for storing and renewing passwords are also discussed.

Compared to the previous recommendation of 2017, this new project notably makes the following changes:

  • the definition of a rule based on the degree of unpredictability of a Password (entropy) and not on the min imum Password length, to allow a freer implementation of strong Password policies;
  • the abandonment of the obligation to renew passwords for classic user accounts (renewal is still required for accounts with “privileges”, ie of the administrator type or with extended rights);
  • the introduction of a list of complex but well-known passwords and therefore to be avoided given the new attack patterns;
  • the clarification of rules concerning the creation and renewal of passwords to guarantee security throughout the life cycle in the form of good practices (password manager, no recourse to obvious information).

Who can participate in the public consultation?

The Cnil wishes to allow as many people as possible to express their views on the work carried out: all actors (public, private or from the voluntary sector) concerned by the recommendation can make their observations known, whether or not they are security professionals.

What is the consultation deadline?

We invite you to give us your opinion on the draft recommendation until December 10th, 2021.

The contributions will be analysed at the end of the consultation, to allow the publication of the final recommendation by the CNIL, on its website, at the beginning of 2022.

The consultation is over.


Testo del 2023-01-28 Fonte: GPDP


i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.

Ricevi gli aggiornamenti su [Closed] Passwords: the CNIL launches a public consultation on its new recommendation e gli altri post del sito:

Email: (gratis Info privacy)

Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza