Security and password: do you respect the recommendations of the CNIL? 

Authors: Marine Vanhoucke, associated and Michela Navarra

 

Art. 32 of GDPR impose a safety bond to the personal data controller. A violation of this obligation may lead to penalties of up to 4% of worldwide turnover or €20.

 

According to the CNIL, in 2021, “ 81% of global data breach notifications are related to weak passwords and 60% of CNIL notifications are linked to hacking.

 

In order to provide a more suitable framework, the CNIL recently published Deliberation No. 2022-100 relating to passwords and other shared secrets. The main changes compared to its previous recommendation of 2017 are as follows:

  • The CNIL previously defined compliance thresholds in terms of number of characters and password complexity. Now it relies on entropy, that is to say " the amount of chance contained in a system. For a password or a cryptographic key, this corresponds to its degree of unpredictability, and therefore its ability to resist a brute force attack ". The data controller using passwords based on a length and complexity equivalent to an entropy of 80 bits.
  • On this basis, the CNIL distinguishes 3 use cases:
    • “simple” password authentication: required entropy level of 80 bits;
    • the measures limiting the risks of online attacks are implemented: level of entropy required of 50 bits;
    • the hardware unlock code: required entropy level of 13 bits.
  • Removal of the obligation to renew passwords for classic user accounts. Renewal is still required for accounts with " privileges », that is to say those of the type of administrator and/or with extended rights.
  • Companies will have to put in place specific rules, in the form of good practices, concerning the creation and renewal of passwords in order to fulfill their security obligation.

To consult this deliberation in reference: click here.

The CNIL recalls that this recommendation is not normative, but specifies that “the minimum technical and organizational requirements » thus identified correspond to the state of the art. This means that she will check the compliance with these requirements during inspections and that failure to comply will result in penalties.

Marine-Vanhoucke1-jpg

Marine Vanhoucke

Partner

Marine Vanhoucke advises companies on Intellectual property and accompanies them on their subjects of Compliance.

Head of Hong Kong office, she assists French companies in their establishment and growth in Asia and has built up expertise in legal issues of international law, notably combining French and Asian interests.