Finally some good news on the password guidance front from the other side of the pond… In their most recent publication UK intelligence agency GCHQ recommends ditching traditional password guidelines to focus instead on making life easier for users. Many in the security industry have suggested the same for years but perhaps GCHQ’s backing could be the tipping point towards wider adoption. Here are a few of their more refreshing suggestions.
- Put technical defenses in place so that simpler passwords can be used. (think better monitoring of login attempts, implementing lockouts with up to 10 tries, and throttling login tries based on the number of failures)
- Steer users away from choosing predictable passwords, and prohibit the most common ones. (think blacklisting the most common passwords we see on all the top cracked password lists)
- Be aware of the limitations of password strength meters. (basically all those password complexity policies are useless in the big scheme of things)
- Allow users to securely record and store their password. (think Bruce Schneier circa 2005 suggesting to write passwords down and store them in your wallet)
- Only ask users to change their passwords on indication or suspicion of compromise. (finally something to get away from changing passwords ever 30 or 60 days)
For additional suggestions click the picture above to look at their infograph. You can also find GCHQ’s full report here (pdf).
Today’s post pic is from GCHQ. See ya!