Complex passwords don’t “frustrate hackers,” all they do is make life “harder for users,” Claran Martin, the Director General of Cyber Security at the United Kingdom’s spy agency GCHQ says in a new guidance document published online (PDF).
The advice contradicts previous GCHQ guidance that says that system owners should “adopt the approach that complex passwords are ‘stronger.’”
GCHQ, or he Government Communications Headquarters, is the British equivalent of the National Security Agency (NSA).
Amusingly, both agencies have been exposed recently as conducting widespread surveillance on their respective citizens. The more cynical might think there was secondary motive for this advice.
The advice, however makes for interesting reading:
An abundance of sites and services means that users have to follow “an impossible set of password rules” to stay secure. The rules “even if followed, don’t make systems “more secure,” Martin writes.
False sense of security
Complicated passwords create a “false sense of security,” Martin says.
“By simplifying your organization’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage,” it says in the advice geared towards public sector departments.
The document, entitled “Password Guidance: Simplifying your Approach” is aimed at those in government responsible for deciding password policy.
Changing all default passwords before deployment is among the suggestions made in the document.
It cites the Carna botnet as a good example as to why system administrators should do this. That 420,000 device botnet, woven in 2012, infiltrated routers and other devices that used default passwords.
It found “several hundred thousand unprotected devices” that the botnet was able to compromise, the GCHQ document explains.
“Only implement passwords when they are really needed,” the document goes on to say.
“Systems and services with no security requirements should be free from password control.”
Government agencies should also provide “appropriate facilities to store recorded passwords.” That could include physical solutions, such as secured cabinets, or technical ones like password management software.
“The typical user has dozens of passwords to remember, not just yours,” it says.
Stop changing passwords
Password changes by users are likely to be “only minor variations of the old” and carries “no real benefit because stolen passwords are “generally exploited immediately,” GCHQ goes on to say.
Using the most common passwords, the same passwords and “predictable password generation strategies, such as replacing the letter ‘o’ with a zero,” isn’t any good. These tricks are known by attackers and are used to optimize attacks. Systems with weak, user-generated passwords, therefore can fall to automated guessing attacks.
There’s only a marginal benefit to password rules, such as length, because individuals use “predictable strategies” to create passwords anyway, so they’re not worth the user burden.
“The use of technical controls to defend against automated guessing attacks is far more effective than relying on users to generate, and remember, complex passwords,” it says.
By ‘technical controls’ it means account lockouts, throttling, and blacklisting certain common passwords, for example.
‘Throttling’ is a time-delay between login attempts.
Machine generated passwords are better, although those that are hard for people to remember should be avoided, the advice says.
Prioritizing administrator and remote user accounts with “robust measures” and not storing passwords in plain text round-out the advice.
It’s been a surge in online services that has been the driver in password use.
Passwords are being discovered through social engineering; manual guessing; interception; theft; shoulder-surfing; key-logging; brute-force and searching, the document says.
Administrators need to help users “generate appropriate passwords”; and help them cope with “password overload,” the GCHQ document warns.
This article is published as part of the IDG Contributor Network. Want to Join?