The latest version of Anssi’s guide on authentication and passwords dates from 2012. The agency has just updated this document by offering a clear and precise reading on a topic that is still topical.
After the computer hygiene guide, those interested in cybersecurity should have in their library the latest guide on authentication and passwords from Anssi. It has indeed just updated this document, v1 of which dated back to 2012. It must be said that things have changed a little in this area (strengthening of encryption, adoption of multifactor, etc.).
The guide is aimed at a varied population (DSI, developers, RSSI and users) and is educational. One thing is certain, the ANSSI reminds that authentication plays an important role in managing the security of an information system. The document deals with authentication for all types of access, i.e. unlocking a terminal (Windows, Linux workstation, etc.), access to privileged accounts (by administrators example), access to web applications (private or public), etc. It focuses on authenticating people to machines, due to their greater exposure to attacks and the risk of human error.
Some nuances on authentications
As in other approaches to cybersecurity, the agency advocates in the preamble to carry out a risk analysis on the implementation of the means of authentication. In this context, it draws up a set of threats related to this subject such as attacks by brute force, by dictionary, by exhaustive search, by pre-calculated tables (rainbow table) and social engineering. Faced with these risks, countermeasures are available such as strong or multi-factor authentication.
And here again it’s all about nuance according to Anssi. Thus multi-factor authentication is to be preferred, but a factor based on geolocation (via IP address or GPS) is considered less mature and can be circumvented. Similarly, sending temporary codes by SMS should be avoided in view of the vulnerabilities present in the mobile communication protocols (SS7 type) and exploits such as SIM swapping (SIM transfer). The other element is strong authentication, distinct from its multi-factor counterpart, often relying on encryption protocols. The latter must be able to resist various attacks: eavesdropping, man-in-the-middle, replay (retrieve authentication information and replay it) or non-forgeability (observation of an attacker of several authentication exchanges).
Tweakable password protection
The guide ends on the problem of passwords with advice on several points. For example, on the length, the agency remains pragmatic and recommends according to the systems not to set a limit to the maximum length of a password in order to allow users to use passphrases or long words. outmoded. On the other hand, on complexity, it considers that the larger the size of the character set, the greater the number of possible passwords.
Finally, the guide dwells on the issues of revocation, collection and safe deposit. The agency encourages companies to provide employees with a password safe and train them in its use. However, it alerts on the use of an office file protected by a password which is to be avoided.