If you thought the purpose of passwords was to be as strong as possible to give your information and accounts the best chance of being secure, Britain’s spies at GCHQ have news for you.
In a new document, Password Guidance – simplifying your approach (PDF), the organisation’s cyber director said that advice has moved on from previous guidance to make passwords stronger as a greater deterrant to hacking.
Now, the spy agency is suggesting IT managers help install systems that make passwords easier to remember. Yes, you did read that right.
The report claims that the average UK user has 22 different online systems that are password protected – clearly more than most people can remember – with the same supposedly safe password used to access around four of these.
It says the need to remember multiple passwords for different sites leads to unsafe behaviour, such as writing them down, duplication, or using simple or predictable passwords creation strategies.
But it also stresses that, crucially, the bottom line is that even following best practice guidelines (ie not doing any of the above) cannot guarantee keeping online services secure. Key loggers, phishing and interception are all cited as credible risks, with information about how to carry them out and the tools to do so easily discoverable on the internet.
In a foreword to the report, Ciaran Martin, Director General for Cyber Security at GCHQ (cool job title!) said: “Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”
It suggests that simplifying an organisation’s approach to passwords can reduce the workload on users, lessen the IT burden, and – crucially – “combat the false sense of security that unnecessarily complex passwords can encourage.”
It lists seven key steps that organisations (and individuals) can take to optimise system security, which are:
- Change all default passwords (well, durr)
- Only implement passwords when needed to minimise user overload
- Understand the limitations of user-generated passwords (tl:dr they encourage insecure behaviour)
- Except machine-generated ones have their own problems (tl:dr they’re difficult to remember)
- Prioritise admin, mobile and remote user accounts as these are more important/vulnerable
- Use account lockout and protective monitoring
- And, of course, don’t store passwords as plain text
Will seeming to be good, impartial advice, it’s worth remembering that this does come from the people who broke antivirus software so they could spy on people, so feel free to take it with a piece of salt if you are of a cynical disposition.