GCHQ urges organisations to ditch pointless password policies
Frequent changes and strength meters won't improve password security, say GCHQ cyber-security experts.
Keeping track of complex passwords is a security risk in itself
GCHQ has told firms and individuals that many of the policies enforced around passwords by organisations seeking to bolster their cyber-security aren't that helpful.
It advised against changing passwords on a regular basis and admitted that its previous advice on measuring the strength of passwords won't make much difference to how well data and infrastructure are protected.
“Password guidance – including previous CESG guidance – has encouraged system owners to adopt the approach that complex passwords are ‘stronger'. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure',” said Ciaran Martin, director general for Cyber Security at GCHQ.
“Worse still, the rules – even if followed – don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”
He added that by simplifying an organisation's approach, security professionals can “reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage”.
The guide, while ruling out regular password resets, did advise that default passwords on devices such as routers should be changed as a matter of course. Also passwords should definitely be changed in the event of a suspected security breach.
Security professionals were advised that making users change passwords regularly would lead to users thinking up less and less strong passwords in a bid to remember them.
“This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately... However, users must change their passwords on indication or suspicion of compromise,” said the guide.
The spy organisation said that users should also be allowed to record and store passwords in a secure fashion.
Password strength meters should be assigned to the dustbin of history in favour of using a blacklist of predictable passwords. It also said the user-generated passwords are often less secure than machine generated ones.
"Systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," the guide warned.
"Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Most dictionaries for brute-force attacks will prioritise frequently used words and character substitutions. This means that systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," said GCHQ.
But organisations must also defend against brute-force attacks against accounts, by using methods such as throttling and automatic account lock-outs.
"Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience. Account lockout also provides an attacker with an easy way to launch a denial-of-service attack, particularly for large-scale online systems," it said.
"If using lockout, we recommend you allow around 10 login attempts before the account is frozen. This gives a good balance between security and usability."
Paco Hope, principal consultant at Cigital, told SC Magazine that even though GCHQ's guidance is right, it will be years before the systems we use today make any changes.
“In the meantime, the best password guidance can be distilled to an easy three-word phrase: ‘longer is stronger'. Something like ‘CuddleMy2CatsAtHome' is a fabulous password,” he said.