Passwords: a new recommendation for mastering your security

There is no universal definition of a good password, but it should be difficult to guess. For this, we can play on its complexity and his length to reduce the risk of success of a computer attack which would consist of successively testing many passwords (so-called brute force attack).

Changes in the recommendation since 2017

Compared to the previous recommendation of 2017, the new recommendation makes the following changes in particular:

  • The recommendations are aimed at the degree of complexity of the password (entropy) and not a minimum length, in order to offer more freedom in defining robust password policies adapted to the use cases.
  • The removal of the use case relying on secret information as a measure to lower the security requirements on the password (case 3 of the 2017 recommendation).
  • The abandonment of the obligation to renew passwords for classic user accounts (renewal is still required for “privileged” accounts, that is to say of the administrator type or with extended rights).
  • The introduction of a list of complex but known passwords and therefore to be avoided given the new attack patterns.
  • Details on the rules concerning the creation and renewal of passwords to guarantee a constant level of security throughout the life cycle of the password, in the form of good practices (password manager, non-use of obvious information).

Valuable contributions from professionals and the general public

The CNIL had launched, in October 2021, a public consultation on its draft new recommendation on passwords.

The responses received, of high quality, confirmed the main orientations of the project, which was considered relevant (by 96% of respondents). The proposed level of security was also considered satisfactory by 84.3% of respondents.

The feedback mainly helped to clarify and explain the CNIL’s recommendations but also to complete the project with additional good practices. Finally, they led the CNIL to no longer recommend a use case, considered too weak.

The main recommendations of the CNIL

Password Authentication: Guessability or Entropy

As of today, entropy

To check the robustness of a password, in the current state of the art, it is necessary to rely on the definition of complexity and length criteria. For each information system, or each processing of personal data, a password policy is defined. This policy outlines the criteria that must be met for a password to be “acceptable” on this system. The 2017 recommendation defined thresholds in terms of number of characters and complexity of each password. However, this definition lacked flexibility, hence the introduction of the concept of “entropy” in order to be able to compare the robustness of different password policies.

“Entropy” can be defined in this context as the amount of chance. For a password or a cryptographic key, this corresponds to its degree of theoretical unpredictability, and therefore to its ability to resist a brute force attack. Here, the entropy term, applied to a password, corresponds to its ideal entropy on the assumption that it would be generated randomly, knowing that any rule for constructing a password necessarily leads to limiting the space of possible choices, and therefore to limit its entropy for a given length. For example, choosing a password from among the words of a language comes down to severely limiting the number of possible letter combinations in practice. Indeed, each language only admits a limited number of sequences of letters, used to form the syllables of words. The temptation for many users to choose “easy to remember” passwords facilitates so-called “dictionary” attacks, in which, instead of brute force testing all possible combinations, they are only tested that a very limited number, including dictionary words or first names, as well as their “classical” derivations (for example, of the word “kangourou”, will be derived and tested combinations such as “k4ng0urou”, “kangourou01″, ” KaNgOuRoU”, etc.).

Here, this principle allows us to define a generic minimum level of 80 bits of entropy for a password without additional measures, and to leave everyone free to define their password policy. Thus, the following three examples are equivalent in terms of entropy and all meet the recommendations of the new recommendation :

Example 1 : passwords must be composed of at least 12 characters including upper and lower case letters, numbers and special characters to be chosen from a list of at least 37 possible special characters.

Example 2 : passwords must be composed of at least 14 characters including uppercase letters, lowercase letters and numbers, with no special characters required.

Example 3 : a passphrase must be used and it must be composed of at least 7 words.

Tomorrow, Guessability

The notion of “guessability” is a new approach to determining the strength of a password. It consists in evaluating, by means of dedicated algorithmic processing, the ease for an adversary to recover a given password. It is therefore not a matter of verifying compliance with a password policy setting a minimum formal complexity, but of dynamically evaluating the resistance of the chosen password.

The literature on the subject recommends a minimum attack resistance of 1014 trials. However, at the time of the publication of these recommendations, the tools to implement this method, a priori more reliable than the simple verification of complexity, are not yet available for French-speaking users: the CNIL therefore does not currently have the experience necessary to determine the level of resistance equivalent to the levels described in this recommendation.

It will be attentive to new developments in this area, in particular with regard to the availability of freely accessible solutions which it will be able to assess.

Three equivalent level password policies

The CNIL has identified 3 different state-of-the-art use cases for the use of passwords which are associated with different minimum levels of entropy:

  • “simple” password authentication;
  • the case where measures limiting the risks of online attacks are implemented;
  • and finally, the case of the hardware unlocking code.

The table below lists the 3 password authentication cases identified by the CNIL in its new recommendation. Access control should be based on more robust rules depending on the risks to which the system is exposed.

Example of use Minimum entropy Complementary measures
password only Forums, blogs 80 Advise the user on a good password
With access restriction (the most common) E-commerce sites, company account, webmail 50

Account access restriction mechanism: (examples)

  • Account access delay after several failures;
  • Maximum number of attempts allowed within a given time;
  • “Captcha”;
  • Blocking of the account after 10 failures accompanied by an unblocking mechanism chosen according to the risks of identity theft and targeted attack by denial of service.
With equipment owned by the person Credit card or telephone 13

Material owned by the person (e.g. SIM card, bank card, certificate)


Blocked after 3 failed attempts

Stopping periodic renewal of passwords

More and more studies show that forcing the user to change their password on a regular basis is not a really effective measure. The strategies used by users to adapt to password expiration policies are generally predictable and lower the effective level of security. Indeed, the majority of participants use a slightly modified version of their previous password, for example by adding a number at the end. The benefits in terms of security are therefore minor and largely offset by the negative user experience.

Thus, more and more national cybersecurity agencies are changing their recommendations in this area by stopping recommending a periodic change of passwords for standard users, or even by recommending that they refrain from requesting such a change. In particular, ANSSI adopted this new position in 2021 in its guide “Recommendations for multi-factor authentication and passwords” that the CNIL co-signed.

The recommendation therefore follows this change by recommending that such periodic modification should no longer be requested except for administrative accounts. Note that the risks associated with access to a privileged account will often require more robust authentication than simple password authentication.

Safeguarding passwords

Passwords should never be stored in the clear. When authentication takes place on a remote server, and in other cases if technically feasible, the password must be transformed by means of a non-reversible and secure cryptographic function, incorporating the use of a salt or of a key. There are now specialized functions that meet this need, such as scrypt or Argon2, cited by ANSSI.

What to do in case of risk of password compromise?

If a data controller detects a data breach in relation to a person’s password:

  • the data controller must notify the CNIL within a period not exceeding 72 hours;
  • he must force the user concerned to change his password the next time he connects;
  • he must recommend that he change his passwords for other services, in the event that he has used the same password for them.

What are the risks for organizations that do not ensure an adequate level of data security?

Breaches already frequently observed and an appropriate repressive response

The CNIL can control, on the basis of a complaint received or on its own initiative, any data controller, whether remotely, online, on documents or on the premises of the organization concerned. In the event of serious breaches of security principles, it can then mobilize its entire repressive chain and impose penalties of up to 4% of worldwide turnover or €20,000,000.

It recalls that breaches relating to password policies were among the breaches most often observed during its checks in 2021; these shortcomings could lead to data breaches with sometimes significant consequences for individuals.

A period of adaptation in a specific case

Following the public consultation carried out on the draft recommendation, the CNIL decided to delete one of the cases which was recommended in 2017 (password reinforced by additional information), which is therefore no longer recommended by the CNIL, in order to follow the opinion of the majority of respondents to the consultation. Indeed, many professionals considered that this use case did not allow a level of security equivalent to the other recommended cases.

The CNIL therefore calls on data controllers who use this method of authentication to change their password policy, and will take into account the time required to implement these changes.

We wish to give thanks to the author of this article for this outstanding material

Passwords: a new recommendation for mastering your security

You can find our social media profiles here , as well as other pages on related topics here.