Passwords: minimum security recommendations for businesses and citizens

04 September 2017

At a time when many services now need a password to access them, and with data security under greater threat, the French Data Protection Authority (CNIL) is adopting a recommendation on passwords to guarantee minimum security in this respect. It is also providing businesses and citizens alike with practical tools.

Passwords might well be in widespread use, but unless they are combined with other security measures they only offer a low level of security

This means of authentication is therefore facing mounting criticism and testing, and yet it is still THE key to accessing most digital services.

With digital uses on the rise, the sheer number of accounts and passwords that users now have to juggle is proving an ever more complex task. If they do not take care over the way they manage these passwords, users place their personal data at risk:

  1. using the same password to access different services can compromise sensitive accounts – not least their main email address;
  2. the tendency to share passwords increases the risk of identity theft;
  3. the tendency to create passwords using personal information (date of birth, children's first names, company name, etc.) makes them more vulnerable, especially in a context where it is easy to retrieve information about people online (social engineering);
  4. to overcome the difficulty remembering passwords, the tendency is to create overly simple ones a few characters long, often including common words, or to write them down somewhere on paper.

And yet, many users are not aware of the basic security steps and techniques for managing this confidential information – when they have an ever greater number of accounts and increasingly sensitive information to protect.

The CNIL's advice for a good password

It is important to create strong passwords for your online accounts. The CNIL offers a resource and tool kit for:

A stupendous rise in attacks that have compromised passwords

2016 saw a surge in cyberattacks that were at times stupendous, and which particularly led to entire databases of accounts and associated passwords being compromised.

Scores of passwords were made public in the wake of these attacks, which enabled the hackers to update the procedures for creating passwords and the users' mnemotechnical methods.

The main platforms have scaled up the security of their authentication systems by shoring up password authentication with additional security features (double authentication via a mobile code, account blocking after X failed login attempts).

That said, a security breach on the part of just one platform (for example, in the event of massive authentication data theft) is all that is needed for the security of the whole digital ecosystem to be at risk: accounts, "webmails" (web-based email services) in particular, whose passwords have been found out, set off a domino effect whereby all of the services the users have signed up for are compromised.

Given this situation, setting a minimum security level on the matter appears crucial. The CNIL has therefore adopted a recommendation on passwords, informing businesses and citizens alike of the minimum conditions for complying with the legal security requirement.

A pragmatic doctrine which takes additional security measures on board

As part of its investigations, at regular intervals the CNIL analyses the authentication systems set up by data controllers.

To ensure that the constraints of the state of the art are taken on board, the CNIL has also consulted various security stakeholders as well as all of the European data protection authorities.

In light of these observations and talks, the CNIL has laid down pragmatic minimum measures on the basis of the current authentication practices on the main online platforms. This recommendation does not exclude the possibility of other measures being taken based on the specific risks that might be identified.

As such, the length and complexity of the password vary depending on the other security measures taken for the purposes of authentication (time-delay system for account access, double authentication, hardware held in the user's name).


The CNIL's recommendation encompasses four aspects of password management in connection with which there are well identified recurring threats:

  • password creation;
  • authentication;
  • retention;
  • and renewal.
Document reference

Official text