Stop resetting your passwords, says UK govt's spy network
No, seriously, it's a bad idea. Honestly
The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords.
"In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected recommendation, and why we think it’s the right way forward."
As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document [PDF] called "Simplifying Your Approach" that explains what you should do to get your information secure without driving your users crazy.
Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers.
Hang on, why is it a bad idea again?
"The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords," says CESG. "The majority of password policies force us to use passwords that we find hard to remember."
The problem is our rubbish brains, the organization reveals: "While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives."
The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources.
As a result, CESG "now recommend organisations do not force regular password expiry." Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account.
Although users are likely to love this new advice, sysadmins are likely to be a little more skeptical – especially as they are the ones who see what sorts of mind-numbingly easy passwords people choose, and the fact that huge numbers of people will use the same one or two passwords for everything from their work system login to Twitter to whatever online form they fill in to win some free gift (spoiler: you won't win but someone will be celebrating – the miscreant who gets to sell your personal data).
As for CESG, we cannot think of a single reason why the organization, which is part of the UK's spying organization GCHQ, would benefit from people not updating their passwords.
It is inconceivable that an organization trusted with making citizens safer would ever wish to be able to monitor those same citizens. And, we'd be hard pushed to think of a single time in which GCHQ has not been completely upfront and honest about its activities and its methods.
So if you trust the security services with your passwords – and who out there doesn't? – then you'd be crazy not to give this recommendation serious consideration. ®