GCHQ urges organisations to ditch pointless password policies

News by Rene Millman

Frequent changes and strength meters won't improve password security, say GCHQ cyber-security experts.

GCHQ has told firms and individuals that many of the policies enforced around passwords by organisations seeking to bolster their cyber-security aren't that helpful.

It advised against changing passwords on a regular basis and admitted that its previous advice on measuring the strength of passwords won't make much difference to how well data and infrastructure are protected.

“Password guidance – including previous CESG guidance – has encouraged system owners to adopt the approach that complex passwords are ‘stronger'. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure',” said Ciaran Martin, director general for Cyber Security at GCHQ.

“Worse still, the rules – even if followed – don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”

He added that by simplifying an organisation's approach, security professionals can “reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage”.

GCHQ password advice

The guide, while ruling out regular password resets, did advise that default passwords on devices such as routers should be changed as a matter of course. Also passwords should definitely be changed in the event of a suspected security breach.

Security professionals were advised that making users change passwords regularly would lead to users thinking up less and less strong passwords in a bid to remember them.

“This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately... However, users must change their passwords on indication or suspicion of compromise,” said the guide.

The spy organisation said that users should also be allowed to record and store passwords in a secure fashion.

Password strength meters should be assigned to the dustbin of history in favour of using a blacklist of predictable passwords. It also said the user-generated passwords are often less secure than machine generated ones.

"Systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," the guide warned.

"Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Most dictionaries for brute-force attacks will prioritise frequently used words and character substitutions. This means that systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," said GCHQ.

But organisations must also defend against brute-force attacks against accounts, by using methods such as throttling and automatic account lock-outs. 

"Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience. Account lockout also provides an attacker with an easy way to launch a denial-of-service attack, particularly for large-scale online systems," it said.

"If using lockout, we recommend you allow around 10 login attempts before the account is frozen. This gives a good balance between security and usability."

Paco Hope, principal consultant at Cigital, told SC Magazine that even though GCHQ's guidance is right, it will be years before the systems we use today make any changes.

“In the meantime, the best password guidance can be distilled to an easy three-word phrase: ‘longer is stronger'. Something like ‘CuddleMy2CatsAtHome' is a fabulous password,” he said.

He added that users are also threatened by bad security design decisions.

“For example Adobe, a few years ago, stored long, strong passwords in easily decrypted formats that were extracted by hackers. Password strength doesn't help when an online service lets down its users like that. Users must protect themselves by using diverse passwords and online software makers must protect users by following best practices in password storage and software security designs.”

Nigel Hawthorn, of cloud security company Skyhigh Networks, said that the security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working.

“Passwords still puzzle many. GCHQ's latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today,” he said.

He added that GCHQ advocating a ban on strength meters may surprise some, but also seems smart. “We analysed 12,000 cloud services and found that a whopping 80 percent would allow ‘weak' passwords according to the traditional strength meter, but the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy for computers to guess,” said Hawthorn.

Ross Brewer, vice president and managing director of international markets at LogRhythm, told SCMagazineUK.com that while everyone is told not to have the same log-in details for multiple accounts, to change them regularly and never to share them with anyone, these rules frequently get flouted. 

GCHQ password advice

“As GCHQ's guidance says, the number of sites and systems that require passwords today is huge and remembering that many log-in details can prove a challenge.  However, passwords do offer a certain level of security and, until a viable solution is found, we need to encourage organisations to employ policies that make them as robust as possible,” he said.

Matt Middleton-Leal, regional director, UK & I at CyberArk, told SC that in almost all high profile data breaches, the exploitation of privileged accounts and credentials is the common denominator. 

“The most important advice for organisations when it comes to protecting their most powerful passwords that effectively provide the ‘keys to the kingdom' is having in place a system capable of managing, monitoring and controlling access in real-time,” he said.

He added that this includes a centralised system for storing and auto-rotating credentials. “Using behavioural analytics to assist with earlier detection within the attack cycle and effective containment of serious threats must also be a priority,” said Middleton-Leal.

Jonathan Sander, vice president of product strategy at Lieberman Software, said there was a mix of good and bad advice in this new GCHQ guidance.

“The idea that sheer length trumps fake complexity tricks like mixing in capitals and symbols has merit. The math bears it out. Advice to never share passwords is also good.”

Circumstances that require sharing access should use something other than passwords, he added. “But the notion that passwords should only be reset in the case of a breach is wrong to the point of dangerous. Most breaches aren't detected for months. Many are likely never detected at all. All the passwords that remain unchanged in that time are possible vulnerabilities waiting to be exploited.”

Candid Wueest, threat analyst at Symantec, told SC that two of the most common and basic mistakes consumers make when it comes to protecting their online assets is not to use strong passwords on all their devices and not applying patches or software updates, leaving people exposed to exploits cyber-criminals actively leverage.

“Passwords to avoid include children and pet names as well as favourite football teams and dates of birth – all commonly used. A hacker can find such details easily on social media such as Facebook and Twitter,” she said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews