British spies want shorter and less secure passwords

If you thought the purpose of passwords was to be as strong as possible to give your information and accounts the best chance of being secure, Britain’s spies at GCHQ have news for you.

In a new document, Password Guidance – simplifying your approach (PDF), the organisation’s cyber director said that advice has moved on from previous guidance to make passwords stronger as a greater deterrant to hacking.

Now, the spy agency is suggesting IT managers help install systems that make passwords easier to remember. Yes, you did read that right.

The report claims that the average UK user has 22 different online systems that are password protected – clearly more than most people can remember – with the same supposedly safe password used to access around four of these.

It says the need to remember multiple passwords for different sites leads to unsafe behaviour, such as writing them down, duplication, or using simple or predictable passwords creation strategies.

But it also stresses that, crucially, the bottom line is that even following best practice guidelines (ie not doing any of the above) cannot guarantee keeping online services secure. Key loggers, phishing and interception are all cited as credible risks, with information about how to carry them out and the tools to do so easily discoverable on the internet.

In a foreword to the report, Ciaran Martin, Director General for Cyber Security at GCHQ (cool job title!) said: “Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”

It suggests that simplifying an organisation’s approach to passwords can reduce the workload on users, lessen the IT burden, and – crucially – “combat the false sense of security that unnecessarily complex passwords can encourage.”

It lists seven key steps that organisations (and individuals) can take to optimise system security, which are:

  1. Change all default passwords (well, durr)
  2. Only implement passwords when needed to minimise user overload
  3. Understand the limitations of user-generated passwords (tl:dr they encourage insecure behaviour)
  4. Except machine-generated ones have their own problems (tl:dr they’re difficult to remember)
  5. Prioritise admin, mobile and remote user accounts as these are more important/vulnerable
  6. Use account lockout and protective monitoring
  7. And, of course, don’t store passwords as plain text

Will seeming to be good, impartial advice, it’s worth remembering that this does come from the people who broke antivirus software so they could spy on people, so feel free to take it with a piece of salt if you are of a cynical disposition.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s