Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ

Click to Enlarge

Click to Enlarge

Finally some good news on the password guidance front from the other side of the pond… In their most recent publication UK intelligence agency GCHQ recommends ditching traditional password guidelines to focus instead on making life easier for users. Many in the security industry have suggested the same for years but perhaps GCHQ’s backing could be the tipping point towards wider adoption. Here are a few of their more refreshing suggestions.

  • Put technical defenses in place so that simpler passwords can be used. (think better monitoring of login attempts, implementing lockouts with up to 10 tries, and throttling login tries based on the number of failures)
  • Steer users away from choosing predictable passwords, and prohibit the most common ones. (think blacklisting the most common passwords we see on all the top cracked password lists)
  • Be aware of the limitations of password strength meters. (basically all those password complexity policies are useless in the big scheme of things)
  • Allow users to securely record and store their password. (think Bruce Schneier circa 2005 suggesting to write passwords down and store them in your wallet)
  • Only ask users to change their passwords on indication or suspicion of compromise. (finally something to get away from changing passwords ever 30 or 60 days)

For additional suggestions click the picture above to look at their infograph. You can also find GCHQ’s full report here (pdf).

#####

Today’s post pic is from GCHQ. See ya!

11 comments for “Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ

  1. September 14, 2015 at 10:27 pm

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ http://t.co/Acw2An9FlE http://t.co/2H8MvweSml

  2. September 14, 2015 at 11:12 pm

    GCHQ “Password Complexity Pointless”! http://t.co/IOgnysmzyv

    Get rid of them!

    #SecureTheFuture #NoMorePasswords http://t.co/7MJX2muluW

  3. September 14, 2015 at 11:33 pm

    BLOGGED: Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ http://t.co/BPs6tZomn0

  4. September 15, 2015 at 3:01 pm

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ – find out more here! http://t.co/nWtjfdQ7Ou #infosec

  5. September 16, 2015 at 6:41 am

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ http://t.co/jgsgQGsmQ7

  6. September 16, 2015 at 7:16 am
  7. September 16, 2015 at 7:20 am

    “Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ” https://t.co/83vPfHmouE #informationassurance

  8. September 16, 2015 at 11:03 am

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ – find out more here! http://t.co/yQy9NtlGBA #infosec

  9. September 16, 2015 at 3:03 pm

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ – find out more here! http://t.co/tvNRp6n36t #infosec

  10. September 16, 2015 at 5:58 pm

    “Password Complexity Requirements & Frequent Changes Are Pointless Says #GCHQ” https://t.co/2zTu7DyG7I

  11. September 16, 2015 at 6:40 pm

    Password Complexity Requirements & Frequent Changes Are Pointless Says GCHQ – NovaInfosec http://t.co/euAgxbcdTe via @Nathiet

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.