“Let us give you some advice about your passwords,” says Britain’s top secret eavesdropping agency
GCHQ, the UK’s top secret surveillance intelligence agency, has offered up its advice on how consumers can ensure their passwords are fit for purpose.
It recommends that overly complex passwords can often be more of a hindrance than a help.
GCHQ’s problem with password strength meters is that people can become overly reliant on them. Whilst they are useful in stopping a user opting for a “12345678” password for example, they do not take into account other flaws such as use of family names and birth dates.
The guide also says that imposing regular password changes on users can also harm rather than enhance security, with GCHQ’s stance being that the drive to create ever more complex passwords is creating a security problem.
“When every system needs a different password, the complexity settings for each system are set high, and password changes are enforced frequently, the outcome is not better security,” blogged GCHQ’s Jon Lawrence.
“ When we’re overloaded with passwords, we all end up ‘breaking the rules’: we use the same passwords across different systems; we use coping strategies to make passwords more memorable (and thus more easily guessed), and we store passwords insecurely. Jokes about passwords on sticky notes underneath keyboards aren’t jokes.”
“When we overload users with passwords, we also add cost,” wrote Lawrence. “There’s the cost of dealing with increased password resets and account lockouts, and by putting up barriers in the name of security, we reduce the functionality of systems, and make it harder for people to do their jobs.”
“Worst of all, making all password policies “complex” doesn’t stop attacks,” he warned, citing previous research from Microsoft and others. GCHQ instead advises system designers and security architects to think more about where they’re requiring passwords.
And the GCHQ advice has been welcomed by some security experts.
“The security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working,” said Nigel Hawthorn, European spokesperson at cloud security company, Skyhigh Networks.
“The result – passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today.”
“Our research shows that the average European employee is using 23 different cloud services, and with each one comes a new password,” said Hawthorn. “Or at least it should. Because user convenience usually trumps security, the same passwords are used time and time again. Hacks that can be traced back to a reused password are a dime a dozen, see Bugzilla this week, so it’s great that GCHQ has addressed the issue as part of its advice.”
“GCHQ advocating a ban on strength meters may surprise some, but also seems smart,” Hawthorn added. “We analysed 12,000 cloud services and found that a whopping 80 percent would allow ‘weak’ passwords according to the traditional strength meter, but the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy for computers to guess.”
In June, research from security firm Trustwave found that over half of passwords tested could be cracked in less than 24 hours.The firm examined 499,556 hashed passwords gathered during thousands of penetration tests performed throughout last year, found that 51 percent of those could be cracked within 24 hours and 88 percent within two weeks.
Weak passwords are a major factor in many of security breaches, as hackers take advantage of poor controls to hack into company networks. Even password storing tools may not be a safe alternative, after the password storing site Lastpass was hacked this year.
Are you a security pro? Try our quiz!