Faced with an increased risk of piracy, the CNIL has revised its recommendations regarding good practices to adopt on the Internet. Here are the new rules to follow to create a reliable sesame and avoid being hacked.
Every day, billions of personal details are shared on dark web forums accessed by hackers – often for a fee. The fault is more often due to passwords that are too weak – which are also reused on other accounts. According to a 2021 Verizon study, 81% of global data breach notifications are related to problematic passwords, and many could have been avoided if the victim had used good security practices. Passwords. Ditto on the side of the National Commission for Computing and Liberties (CNIL), since 60% of the notifications it received in 2021 are due to hacks that could have been avoided if the basic security guidelines – long, complex, meaningless, impersonal and unique password – had been applied . It is therefore “in a context of multiplication of password database compromises” that the CNIL has just published on October 17, 2022 new guidelines – the latest date from 2017 – on securing passwords. While these recommendations are primarily intended for businesses and professionals – who are increasingly victims of cyberattacks or data leaks – they are also valid for individuals. It is therefore better to take inspiration from it to create reliable, secure and difficult to hack passwords.
Password: a fallible means of authentication
Password authentication is not an infallible way to secure your account, far from it. There are many risk factors to consider. For example, a password can be too simple – the user tends to choose one that they can easily remember (see our article on the worst passwords) – and therefore expose themselves to brute force attacks. – the hacker tests different password possibilities – and by dictionary – the hacker tests a series of potential passwords, one after the other, hoping that the password used is contained in the dictionary. Likewise, it can be collected via malware, phishing campaigns or fake authentication pages. You also have to fear for the security of your account when the password is kept in plain text or when the procedures for renewing it in the event of forgetting are too weak – this is particularly the case for “secret” questions, such as ” what is the name of your first pet?” The CNIL also recommends that you no longer use this method to secure a password.
CNIL: recommendations for securing passwords
Compared to 2017, the CNIL instructions have changed. First of all, the level of security of a password is no longer based on its minimum length, but on its level of entropy when it is created. “Entropy can be defined in this context as the amount of chance. For a password or a cryptographic key, this corresponds to its degree of theoretical unpredictability, and therefore to its ability to resist a brute force attack. explains the organization. Thus, a password composed of at least 12 characters, including uppercase letters, lowercase letters, numbers and special characters, has the same level of entropy as a passphrase composed of at least 7 words. Additional measures may be put in place by sites and platforms to guarantee the safety of their users. For example, they can impose a password respecting certain criteria of complexity: obligation of length, uppercase letters, lowercase letters, numbers and special characters. They can also set up an access restriction, such as delaying access to the account after several failures, the use of a Captcha, the definition of a maximum number of attempts authorized within a given period, or even the blocking of the account after a certain number of failures. Finally, they can require the user to have equipment on him, such as his smartphone or his bank card.
The CNIL now recommends stopping the periodic renewal of passwords, because “The strategies used by users to adapt to password expiration policies are generally predictable and lower the effective level of security.” Generally, the user chooses a modified version of the previous password, by adding a number at the end for example. In the end, the benefits in terms of security are minor, and the user is annoyed by this change. Finally, the CNIL reminds that, under no circumstances, passwords should not be stored in clear text. “When authentication takes place on a remote server, and in other cases if technically feasible, the password must be transformed by means of a non-reversible and secure cryptographic function, incorporating the use of a salt or a key”, she explains, citing the scrypt or Argon2 functions as solutions for encrypting passwords. To strengthen the security of your account, it is recommended to activate multi-factor authentication or strong authentication, or to use a password manager. Passkeys are also a great alternative, although they also come with limitations.