What password policy should be adopted?

The default password composition rule is evolving with the recommendations of the CNIL. Currently, it imposes a minimum size of 8 characters and 3 complexity criteria:

• At least one numeric character
• At least two letters
• Mix of lower and upper case letters

Les utilisateurs tenant le rôle d'administrateur, notamment le SPR, doivent être encore plus vigilants quant au choix de leur mot de passe. As such, the CNIL recommends a password of at least 10 characters mixing upper and lower case letters, numeric characters as well as special characters.

It is necessary to impose a regular renewal of the password. A simple way to do this is not to recover passwords from year to year: at the beginning of each school year, you give a new temporary password to each user who personalizes it at the time of his first connection.

Another way is to encourage or force password changes every X days. Depending on the option chosen, users are informed that it is advisable or necessary to change their passwords.

To comply with the recommendations of the CNIL, we propose by default to teachers and staff to enter a PIN code and/or send notifications when connecting from any new device.

It is best to maintain these safety measures.

It is recommended that users be reminded of the essential rules to follow: keep your password secret, do not write it down or type it out of sight, etc.

VHere are some references regarding password security:

• Deliberation No. 2017-012 of January 19, 2017 - Public service for the diffusion of law
• CNIL tips for a good password - CNIL
• Minimum security recommendations - CNIL
• Good IT practices - ANSSI-list 2