Following the successful deployment of two-factor authentication (2FA) to more than 42 000 CERN accounts - both personal "primary accounts" and supplementary "secondary accounts" - one final step to ensure full compliance with the recommendations of the 2023 audit on CERN's cybersecurity remains. The minimum required password length and complexity rules will be brought into line with standard security practices. It's nothing for you to worry about - in fact, life might even become easier (although you may need a bit of imagination if your current password is found to be incompliant) …
Until recently, CERN passwords were governed by a rather ancient set of complexity rules, requiring a string of at least eight characters containing a mixture of upper-case and lower-case letters, numbers and symbols, which made them hard to remember and thus often forgotten. These requirements also tended to result in predictable tricks: replacing "E" with "3", "S" with "5" and, most likely, having a year and/or an "!" at the end of the password(1). But no more!
In line with the NIST 800-63b standard, the CERN Computing Rules have now dropped any need for letter/number/symbol complexity and instead extended the minimum password length to 15 characters. With this, and following the general trend in the wider world, CERN passwords move from the realm of easy-to-guess words to better phrases - passphrases, i.e. combinations of several random words(2). The longer the better, and they can even be much easier to memorise than a password: take (the beginning of) your favourite refrain ("Another one bites the dust"), poem ("Fais de ta vie un rêve [et d'un rêve, une réalité]" (possibly leaving out any commas), or quotation ("Two things are infinite: [The universe and human stupidity; and I'm not sure about the universe]" or "I have sampled every language - French is my favourite"). … Or, failing that, "just" type your current password twice. Be imaginative, as this passphrase may be with you for the rest of the lifetime of your account, never to be changed again (unless the standards are updated).
While these new password rules have already been enforced on newly created computing accounts, in 2026, all non-compliant passwords of primary, secondary and service accounts and, indeed, all other CERN accounts (databases, guest accounts, local accounts for e.g. LHC@Home or Zenodo) will need to be changed. Any new choice of yours will be checked against a list of too simple/easy-to-guess passwords (such as "AAA-AAA-AAA-AAA-AAA") and another of "burnt" passwords(3). In fact, this monitoring for "burnt" passwords was deployed a while ago, when 2FA protection entered the SSO, and allowed us to drop the requirement for annual password changes.
If your password is found to be incompliant or "burnt", CERN's Single Sign-On will provide you with a few reminders and chances to unleash your creativity once you have logged in. In order not to bother you at a "bad" time or to disturb your work, you will be given the option to postpone. However, after a while, changing your password will become mandatory. So, here is our little challenge for 2026: choose a good, memorable, non-guessable and secure password to help even better protect CERN's computing accounts!
(1) If you want to create the ultimate secure password, try this out: https://neal.fun/password-game/.
(2) … and with passkeys to come once our identity management solution allows these to be seamlessly integrated.
(3) "Burnt" passwords are those that have been exposed in any kind of data breach involving passwords or other personal information. Such passwords are considered "public" and should not be used in any security context.
