"Weze-Xupe", "a^2+b**2=sqr(c)", "IXdKKaspdd!" or "dogs+F18" have long been the state of art for passwords - using a mixture of capital and lower-case letters, symbols and numbers and definitely not using any word from a dictionary of your preferred language. The more gibberish the better. Only such passwords were able to evade being successfully brute-forced using dictionaries, rainbow tables or other techniques. The only limiting factors were the computing power on the attacker's side and the numbers of attempts. And thanks to Moore's law, they got more and more power over time. Time to adapt again!
CERN already gave up the annual password change a while ago, making life easier and avoiding idiotic password changes from "MyGenialPassword2022" to "MyGenialPassword2023", opting to monitor instead for passwords that have been publicly exposed. In addition, with the introduction of 2-factor authentication (2FA), CERN primary and secondary accounts got another well-needed layer of protection. Actually, by now, more than 45 000 CERN accounts are subject to 2FA protection, and that protection will soon be extended to remote logins to the "LXPLUS" interactive Linux cluster and when using the internet-facing Windows Terminal Servers ("CERNTS").
Thus, the time has come to take another step forward. Let's give up the complexity rules (letters, symbols, numbers) and go for long passwords, i.e. "passphrases", instead. Long but easy to remember. Like a poem or refrain, like a place you especially like or an episode in your life. Like "Fais de ta vie un rêve, et de ton rêve une réalité" (Saint-Exupéry), "In Xanadu did Kubla Khan a stately Pleasure Dome decree" (Frankie Goes to Hollywood), "ThisIsAVeryGoodPassword" (for the self-confident), "They call it a Royale with cheese" (for film fanatics), "C'est quoi ce b***?" (for IT guys), but also "Mmm Mmm Mmm Mmm" (for the indecisive ones). Even better, take advantage of your presumable multi-nationality: use a passphrase in your native language or, even better, mix multiple languages, use Frenglish, Spanglish or any other combination (for example, "Le boss veut un feedback asap"). The longer the phrase, the harder to guess, the harder to crack. At least for the time being.
The aim for 2025 and 2026 is to gradually replace all current passwords by passwords of at least 15 characters (following the NIST 800-63b standard). For those that already meet that criterion, nothing will change. All other users will be asked over the course of time (and depending on their end-of-contract date) to be creative and adapt their current choice to something longer but simpler and easier to remember.
By the way: passkeys. A "passkey" is what big tech companies call their "replacement for passwords" based on their proprietary web technology. It's often meant to be a single factor, and often they want you to rely on resident keys - resident keys that drag you into their eco-sphere and are very often not compatible with each other. Unless that changes, no passkeys at CERN. Sorry…
