UK spy agency wants you to ditch pointless password policies
(Last updated on June 26, 2019)
The UK intelligence agency, the Government Communications Headquarters (GCHQ), released new password guidance in a report titled “Password guidance: simplifying your approach.” The guidance acknowledges the “password overload” problem people face when remembering multiple passwords and the difficulty in creating strong and memorable passwords. The goal is to simplify the approach to password security so ordinary users can do a better job at creating passwords and administrators can provide better protection to high risk accounts.
Here’s some of the practical advice on password policies from the report:
- Use passwords only when necessary. The average UK user has 22 passwords to remember and remembering all of them is hard. Only implementing passwords when they are needed is an effective way to minimize the password burden.
- Regular password changing harms rather than improves security. Requiring users to change passwords often could drive them to create easily memorable but weak passwords that fall to guessing attacks. Instead, only ask them to do so when there are indicators of compromise or on a schedule that is not too frequent.
- Use passphrases instead of complex passwords. Complex passwords frustrate humans, not computers. Requiring complex passwords forces users to opt for workarounds which are susceptible to brute-force attacks. Better ways to defend against attacks include blacklisting common password choices and creating passwords made up of three or four random words called “passphrases.”
- Change default passwords. This may sound like common sense but we still hear about incidents where systems were accessed using factory-set default passwords. Make sure to change all default passwords and check system devices and software regularly to look for unchanged default passwords.
- Don’t store passwords as plaintext. Having username and password database being unprotected and readily accessible is a huge security risk. To secure access, the report suggests that you “store passwords in a hashed format, produced using a cryptographic function capable of multiple iterations.”
- Enable two-factor authentication for administrators and remote workers. Username and password are not always sufficient to protect an account. Requiring an additional factor such as a token or mobile SMS can provide an extra layer of protection.
Specops Password Policy simplifies your password approach while increasing security. It allows you to create multiple password policies and apply those policies according to user roles. This relieves users with little or no access to sensitive information from the burden of creating complex passwords that they don’t remember. To make it easy for users to create passwords without sacrificing security, you can enable passphrase so users can create passwords that are secure and easily memorable.
To improve security, administrators can blacklist user names, consecutive characters, incremental passwords and dictionary words. Another security feature you can enable is multi-factor authentication for password resets. When the username and password are compromised or forgotten, an additional identity service or more are required to reset passwords so the account is still guarded. This extra layer of protection is effective in fending off malicious attackers, making it more costly and time-consuming to penetrate these accounts.