Should you heed GCHQ's password advice?

The government's spying agency doesn't believe you should change your password every 90 days

GCHQ believes companies should simplify their password policies, advising companies against using "strength meters" or forcing staff to change credentials every few months. 

The Password Guidance report said the average UK citizen has 22 passwords to remember for online services, saying it's more than most of us can remember. Previously, the government's security agencies have suggested people use more complex passwords that are harder to crack, but now, GCHQ is advising "simplifying your approach".

"Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users," Ciaran Martin, Director General for Cyber Security at GCHQ, wrote in the introduction to the report.

"They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk."

Instead, companies should change default passwords to something new, reduce the number of passwords users need to remember by only using them when necessary, and consider using machine-generated passwords rather than letting people choose their own. 

If you do let people set their own passwords, avoid "strength meters", which tell users their credential is too weak to use. "They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information, and repeating characters or common character strings)," the report said. 

The report also suggested better locking down admin accounts and remote users, protectively monitoring for abnormal behaviour and never storing passwords as plain text. 

"Every single user in the UK public sector has at least one (and most likely considerably more) work-related password," Martin said. "By simplifying your organisation's approach, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage."

Industry response

The advice was welcomed by some experts. Nigel Hawthorn, European spokesperson at cloud security company Skyhigh Networks, said the tips were "refreshingly to the point". 

Hawthorn added that the ban on strength meters "seems smart" - even though it contradicts his own company's research.

"We analysed 12,000 cloud services and found that a whopping 80 percent would allow weak' passwords according to the traditional strength meter, but the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy forcomputers to guess."

Ross Brewer, vice president and managing director of international markets at LogRhythm, also welcomed some of the advice. "The ability to monitor user behaviour, particularly that of privileged users, is more important than ever," he said. "With the right systems in place, organisations are able to detect changes in patterns of behaviour in real-time and immediately identify when credentials are compromised."

However, he disputed the GCHQ's advice to companies to stop forcing employees to come up with new passwords every few months. 

"While changing passwords every 60 or 90 days is a hassle for everyone involved, it does generally ensure that the credentials remain unique," he said.

"Compromised credentials are one of the top reasons for breaches and, while it isn't fool proof, regularly changing them may well stop a hacker in their tracks.  What's more, it often takes businesses months to detect a breach, so GCHQ's recommendation that passwords be changed only if there are indicators of a compromise could leave the door open to hackers for a very long time."

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021