GCHQ wants YOU to change your organisation's password practices

Spooks issue guidance to corporate Britain over password security because you're probably doing it all wrong

GCHQ's Communications-Electronics Security Group has condescended to issue advice to individuals and organisations over password security.

The aim is to provide a framework that organisations can use to build their own password security policies. "It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords," claims Ciaran Martin, director-general for cyber security at GCHQ, in the introduction.

The guidance - and robust corporate policies - are required because users are suffering from password overload and bypassing good security practice in consequence. "This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies. A study within a Scottish NHS trust found that 63 per cent of its users admitted to re-using passwords," according to the report.

However, the password remains a weak link in most organisations' security.

First, it advises, check and make sure that all default passwords are changed. Instead, it suggests that organisations should adopt password management software to discourage staff from re-using password and/or writing them down.

Intriguingly, it also advises against imposing regular changes of passwords on users, arguing that this harms, rather than enhances, security. "Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days.

"This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately... However, users must change their passwords on indication or suspicion of compromise," it says.

Organisations, meanwhile, should monitor logins to detect unusual usage (such as, perhaps, log-in attempts out-of-hours) and notifying users of attempted logins, whether successful or otherwise, advising them to report any for which they were not responsible.

GCHQ also advises against an over-reliance on password strength meters which, while steering users away from obviously weak passwords (like "password" and "123456") often fail to take into account other flaws, such as the use of family names and birth dates.

It also claims that user-generated passwords are typically less secure than machine-generated password schemes, although they do require more effort to implement. "Systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," it warns.

Alternatively, it suggests, organisations should implement defences to guard against brute-force attacks against accounts, including throttling and automatic account lock-outs. Weak and commonly used passwords should be blacklisted as a matter of course.

Finally, it suggests, the most high-value accounts ought to be prioritised in the organisation's security stance. It advises: