Passwords: new recommendations from the CNIL to avoid being hacked

The National Commission for Computing and Liberties (Cnil) unveiled its recommendations on computer security on Monday, October 17. More specifically, the CNIL is looking into good practices to adopt in terms of passwords to avoid hacking. A particularly useful development when we know that 81% of breaches of data worldwide are linked to a password problem, according to a Verizon study conducted in 2021.

The Cnil emphasizes that the safest way to secure an account remains the use of multifactor authentication. In other words, it recommends adding a verification SMS to the password, for example. If the security is greatly improved, the user experience becomes more laborious, and few sites use this system.

It is still possible to create strong passwords, which also provide the user with an acceptable degree of security. A good password is above all a password that is difficult to find by a brute force attack, which consists of using a computer program testing all kinds of combinations in order to find the precious sesame. To complicate the task, the password must be both long and complex.

Chance and passwords

A minimum length alone does not necessarily guarantee the robustness of a password. The Cnil prefers to insist on the notion of entropy, defined here as the quantity of chance. The more randomly a password is chosen, the more difficult it is to guess it.

For example, choosing one among the words of a language severely limits the number of possible letter combinations. This facilitates “dictionary” attacks, which consist of testing only combinations from dictionary words or first names, as well as close variations. The hacker will thus test the word “kangaroo” but also derivatives such as “k4ng0urou”, “kangourou01”, or “KaNgOuRoU”.

Rather than extending passwords ad infinitum, the CNIL therefore suggests using combinations of upper and lower case letters, numbers and special characters, while keeping a minimum length of 12 characters. The Commission also considers it appropriate to use a “passphrase” made up of at least 7 words.

Do not store passwords in plaintext

Among the other new recommendations, the Cnil returns to the usefulness of forcing users to change passwords regularly. In this case, notes the Commission, the latter seek to evade this obligation by adding, for example, a number at the end of their old password. A method that does little to improve security.

On the website side, the CNIL reminds that passwords should never be stored in clear text. In the event of a breach, the Commission may impose penalties equivalent to 4% of the offending company’s worldwide turnover, with a ceiling of 20 million euros.

Passwords: new recommendations from the CNIL to avoid being hacked