Stop resetting your passwords, says UK govt's spy network

No, seriously, it's a bad idea. Honestly


The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords.

"In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected recommendation, and why we think it’s the right way forward."

As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document [PDF] called "Simplifying Your Approach" that explains what you should do to get your information secure without driving your users crazy.

Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers.

Hang on, why is it a bad idea again?

"The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords," says CESG. "The majority of password policies force us to use passwords that we find hard to remember."

The problem is our rubbish brains, the organization reveals: "While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives."

The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources.

Skeptics

As a result, CESG "now recommend organisations do not force regular password expiry." Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account.

Although users are likely to love this new advice, sysadmins are likely to be a little more skeptical – especially as they are the ones who see what sorts of mind-numbingly easy passwords people choose, and the fact that huge numbers of people will use the same one or two passwords for everything from their work system login to Twitter to whatever online form they fill in to win some free gift (spoiler: you won't win but someone will be celebrating – the miscreant who gets to sell your personal data).

As for CESG, we cannot think of a single reason why the organization, which is part of the UK's spying organization GCHQ, would benefit from people not updating their passwords.

It is inconceivable that an organization trusted with making citizens safer would ever wish to be able to monitor those same citizens. And, we'd be hard pushed to think of a single time in which GCHQ has not been completely upfront and honest about its activities and its methods.

So if you trust the security services with your passwords – and who out there doesn't? – then you'd be crazy not to give this recommendation serious consideration. ®

Similar topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022