GCHQ has released a report on password policy in an aim to “reduce workload on users, lesson the support burden on IT departments and combat the false sense of security that unnecessarily complex passwords can encourage”. We take a look at some of their top suggestions…
GCHQ claim that the increase in password use is mostly due to the surge of online services, including those provided by government and the wider public sector. This proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users. As they claim, inevitably users will devise their own coping mechanisms to cope with ‘password overload’, which includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies.
Attackers use a variety of techniques to discover passwords, which include: manual password guessing (using personal information such as date of birth, or pet names); intercepting passwords via emails and messages; ‘shoulder surfing’ (observing someone typing their password at their desk); installing keylogger software to intercept passwords when they are entered into a device; finding passwords which have been stored insecurely – to name but a few. The report, Password Guidance: Simplifying your approach, is free to download from gov.uk and makes seven key recommendations, among them:
1) The strongest passwords are made from four random words from the dictionary
Apparently, ‘marmoset-belgium-peanut-solstice’ would make a good password because it is easy to recall but difficult to guess.
2) Ditch complex passwords
A Bletchley Park-style jumble of letters, numbers and special characters can be too demanding and counter-productive.
3) Use password managers
Despite noting that “like any piece of security software, they are not impregnable and are an attractive target”, password management software (or even secure cabinets) provides ‘sanctioned mechanism’ to “help users manage passwords”.
4) Implement “two-factor authentication” for all remote accounts
Staff with remote logins should have to pass higher levels of security, such as a “two-factor authentication” to prove their identity.
5) Never use the same password for home and work
Users should understand that work passwords exist to protect important assets; re-using passwords between work and home compromises this security.
6) Use account lockout, throttling or monitoring to help prevent brute force attacks
Account lockout (a user has a limited number of attempts to enter their password), throttling (a time delay between successive logins) and protective monitoring (detecting malicious behaviour) are all in the GCHQ report.
7) Change all default passwords before devices or software are deployed
Obvious, maybe, but a rule many companies still fail to obey.