Mots de passe CNIL 2022

here are the recommendations of the CNIL

I. Presentation

On October 17, 2022, the CNIL updated its recommendations on passwords with the aim of guiding professionals and individuals while taking into account new trends, new uses and new threats. These new recommendations are an opportunity to take stock of the changes made by the National Commission for Computing and Liberties (CNIL) and to see what the consequences are in practice with the Active Directory.

This update is not insignificant since the old recommendation dated back to 2017. To update its 2017 recommendations, the CNIL worked in collaboration with professionals and the general public through a public consultation launched in October 2021. Moreover, it was in October 2021 that ANSSI published a new version of its guide “Multi-Factor Authentication and Password Recommendations – v2.0“, which the CNIL recommends that you read in order to go further than the simple password (for example, by setting up multi-factor authentication). To be precise, the CNIL co-signed this ANSSI document.

Better password management = Fewer account compromises

Poor password management can have serious consequences: some cyberattacks could be avoided by better respecting good practices. Beyond the password itself, encryption is also very important to protect passwords, both on the storage part and when the password passes through the network (for example, with the HTTPS protocol, a password used to connect to a website will not pass unencrypted on the network).

II. The new CNIL recommendations

A. A story of entropy

In its document on the new recommendations, the CNIL evokes the notion of entropy where it is recommended to have a key with a minimum level of 80 bits for the entropy of a password. Most what is entropy? In fact, it is a way of calculating the strength of a passwordor in other words its robustness.

Many people believe that a password that respects a minimum length and a certain complexity will necessarily be strong. However, this is not always true since in a password there is a greater or lesser amount of chance : if we only use words from the French language, we limit the part of chance without wanting it.

Thus, an apparently complex password, for example where a letter is replaced by a number, can become vulnerable to certain attacks, in particular brute force attacks. The password tools and dictionaries used by cybercriminals today take into account these variants for the same word. If we take the example of the term “IT” which could become the password “info0rm4t1que” or “INFORMAT1QUE“, even if he does 12 characters in length and includes 3 types of characters different, he does not have sufficient entropy !

We can say that: to have better entropy, it is better to choose a longer password rather than trying to keep the same length by replacing certain characters to make it more complex (as in the previous example). Do not confuse robustness with complexity.

The CNIL gives three examples of strategies that respond to the new recommendations:

“Example 1 : passwords must be composed of at least 12 characters including upper and lower case letters, numbers and special characters to be chosen from a list of at least 37 possible special characters.

Example 2 : passwords must be composed of at least 14 characters including uppercase letters, lowercase letters and numbers, with no special characters required.

Example 3 : a passphrase must be used and it must be composed of at least 7 words.”

B. End of periodic renewal

In the same spirit as the ANSSI recommendation, the CNIL wishes to put an end to the periodic renewal of passwords! Renew a password periodically is not synonymous with security and is not really an effective measure. In addition, it is not to please the users…!

Let’s take an example… If the user has the password “Hello1!” and that he renews it using “Hello2!“, what’s the point, because, anyway, this password is not strong enough although it is able to respond to certain password strategies (8 characters in length and 4 types of characters different). It is better that his password is “Butter-Cream-Calvados-14” and keep it for an indefinite period (unless there is a specific event such as a security incident or user request). This password is robust, in addition to referring to essential ingredients for cooking (the Normans will understand).

The CNIL nevertheless considers that renewing passwords must be maintained for administrative accounts, i.e. accounts with elevated privileges compared to an average user. These same accounts should benefit from a more robust authentication process, with adding a second factorfor example.

C. Storing passwords

Last point addressed by the CNIL: the storage of passwords. Although it may seem obvious, these should never be stored in the clear ! Here, the CNIL refers to the storage of the password itself, but also to its processing during the authentication process, on a remote server, for example.

III. The tools to support you

To manage the end of password renewal, it will be quite easy since it will suffice to update the password policy of the Active Directory to adjust the maximum age of passwords. Thus, this will make it possible to respond to this first recommendation (a specific policy will apply to administration accounts).

On the other hand, with regard to the entropy of passwords, it is more complicated. Indeed, natively the Active Directory does not allow to calculate the entropy of a password. Even by defining a password policy, the system integrated with Active Directory is not precise enough to guarantee that the level of entropy will be sufficient (I recommend that you read this article where I compare several solutions).

Faced with this problem, what to do? Here are some avenues to explore…

A. Online tools

For personal use, it may be useful to refer to the tool “CALCULATE THE “STRENGTH” OF A PASSWORD” put online by ANSSI to get an idea of ​​the entropy of a password. Indeed, this tool allows you to define the length of a password and the number of symbols you have used, in order to to calculate the size of the key in bits.Then, this value is to be compared with the table present on the page in order to see if the strength of the password is sufficient or not.

ANSSI - Calculate the strength of a password

In addition, some password managers like KeePass and KeePassXC (presented in this article) include a password generator that indicates the strength of a password or the level of entropy. This is a good cue when you need to choose a new password. Here are two picture examples:

B. La solution Specops Password Policy

On the market, there are solutions developed by third-party publishers which are added to the Active Directory. The one I know and about which I have already spoken to you on several occasions is Specops Password Policy (PPS). If I mention it here, it is because it allows comply with ANSSI and CNIL recommendations in password security.

This solution makes it possible to create password policies for the Active Directory by going much further than the solution integrated into the Active Directory. As shown in the screenshot below from the Create New Password Policy Wizard, the sidebar labeled “Entropy” allows you to view the entropy of the passwords that will respect the policy that is being configured. In other words, we make sure that the passwords are strong enoughs.

Remark : this applies for the password policy, but also for the passphrases, the latter being practical to reach a very important length thanks to the use of several common words.

Overview of Specops Password Policy
Overview of Specops Password Policy

Specops Password Policy contains several options for improve entropybut also for prevent the password from being easily guessed. For example, there are options to block consecutive identical characters, block certain words from a dictionary (the name of your company, for example) which has the advantage of also including variants (example: the word “itconnect” implies that “itc0nnect” with a zero will be blocked too).

In addition, and this is also important, the software is able to check if the password you choose has been compromised. Thus, if it is present in a data leak resulting from the cyberattack of the XYZ company, you will not be able to use it, because it is a known password (and therefore potentially present in dictionaries). The database managed by Specops contains 3 billion passwords.

Apart from this solution, the Specops editor also offers thefree tool “Specops Password Auditor” whose objective is toaudit your Active Directory passwords and accounts (compromised passwords, identical passwords between several accounts, obsolete administrator accounts, etc.), as well as your password policies. The latest version allows you to quickly check if you are in compliance with CNIL and ANSSI recommendations. In addition, it generates a complete report in PDF format, in French (which is a fairly recent development as well). Here is an example :

Specops Password Auditor - CNIL

in consulting this page you can get more information about the new version and download the tool for free. In addition, my article published several months ago.

IV. Conclusion

These new recommendations from the CNIL, in the same spirit as those of the ANSSI, will allow each DSI to have concrete and official elements to justify a change in the password policy currently in force in their company. It remains to have the right tools to apply them, hence the interest of evoking some solutions.

To put these recommendations into practice, and in addition to IT tools, it is necessary to raise awareness and support users. Beyond the choice of password, it is inappropriate user behavior that can lead to a cyberattack within your company. The best example is the phishing email that a user may receive in their inbox.

In terms of resources, you can consult the following two documents published by the CNIL:

Sécurité Informatique,CNIL,Mot de passe,

#recommendations #CNIL

Leave a Comment

Your email address will not be published. Required fields are marked *