Does GCHQ's line on passwords still stand?
Does GCHQ's line on passwords still stand?

Routine monitoring was  apparently the reason for Amazon forcing a password reset on an undisclosed number of customers this week.

The online giant has denied the login list it uncovered, containing credentials matching Amazon customers, was connected to an Amazon breach. Instead, it suggested that password reuse is the likely explanation.

Customers have been contacted informing them of the forced reset, and requesting they change their passwords as soon as possible. Industry speculation is that the credentials could have come from an unrelated breach.

Which raises an interesting question: with historic breaches becoming a trend of late, does the GCHQ advice not to ‘force regular password expiry' still make sense? If, that is, it ever did in the first place.

With Last.FM and Dropbox breaches from 2012 only just coming to light now as credential lists are published online, on top of a MySpace breach from 2008, the argument for regular password changes might appear to be a sound one. The GCHQ argument was that attackers mostly use breached data sooner rather than later, so the benefit of regular changes somewhat moot. SCMagazineUK.com has been asking the industry what it thinks.

“In a perfect world”, says AppRiver manager of security research, Troy Gill, “it would be a great idea to require passwords to be changed every few months. However, as humans, our 'wetware' has inherent limitations that often prevent most of us from doing what we know is more secure in favour of what is easy. A constant churn of required password updating certainly causes pain to the user and the common response is a slight variation of the prior password, weak passwords (because they are easy) and the tendency to reuse passwords across multiple sites.”

Richard Parris, CEO at Intercede, reckons “GCHQ was right when it said that unnecessarily complex passwords give businesses a false sense of security” and by their nature passwords are a weak form of security anyway. “Surely CIOs realise by now that using password authentication in 2016 is akin to giving a stranger the key to your house?” Parris argues.

Jason Steer, solutions architect EMEA for Menlo Security, agrees that “we have to help employees protect their accounts and their login details by moving beyond passwords as a user identifier.”

Ken Munro of Pen Test Partners responded to our questioning by insisting that the GCHQ advice is still valid, so long as the password is strong and not re-used. “In fact”, Munro says, “you only need change it if you suspect is has been compromised. Replacing one weak password with another offers no real assurance.”

Not everyone is a fan of the GCHQ line though. Take Ian Trump, now the global security lead at SolarWinds MSP, who told SC that “GCHQ's advice on passwords was curious at the time and remains so. The big problem being that it is not nearly forward thinking enough.” Trump insists that they shouldn't be advising that businesses drop these practices, but instead see them as a bare minimum.  

“The GDPR's mandatory breach reporting requirements comes into force soon”, Trump reminds us “meaning that data breaches which remain undetected for years can result in significant monetary penalties as well as leaving their customers vulnerable.”

Leon Pinkney, SOC services director at Redscan also disagrees with GCHQ, and has done since the original announcement was made. “By forcing changes on a regular basis, the possible attack window is heavily reduced”, he argues, adding, “imagine if organisations had been following GCHQ advice for the last 10-15 years and never required passwords to be changed or a level of complexity to be enforced.  How many passwords would still be valid, and based around predictable entries?”

Javvad Malik, security advocate at AlienVault, meanwhile has been a supporter of the GCHQ stance since the get go. “Forcing users to unnecessarily change passwords can often introduce more risk” Malik insists “with breaches coming to light, it is showing that breached passwords are like chickens, they always come home to roost.” Malik argues we must cover off nor reusing passwords and changing them immediately if breached. “We are shifting to a more intelligent risk-based model where rather than asking users to change passwords just for the sake of it” he concludes “we are only doing so where there is a higher level of risk. And that's a good thing for everyone.”

We will leave the last word with Luke Potter, security practice director at SureCloud, who points out that the guidance GCHQ provided and the Amazon password reset should be seen as two different things. The GCHQ guidance is wider best practice according to Potter, but isn't necessarily the right fit for each situation and scenario. So each organisation needs to take a risk based approach accordingly.

“The Amazon password reset is through their own monitoring to identify a breach of usernames and passwords from other websites which match combinations used on Amazon services” Potter told SC, concluding “this is Amazon being very proactive in enforcing password resets and preventing further compromise of their Amazon accounts.” Whatever your opinion regarding password changes, this undoubtedly represents great practice and is something that all organisations should be following.