Should you heed GCHQ's password advice?

Password label

GCHQ believes companies should simplify their password policies, advising companies against using "strength meters" or forcing staff to change credentials every few months.

The Password Guidance report said the average UK citizen has 22 passwords to remember for online services, saying it's more than most of us can remember. Previously, the government's security agencies have suggested people use more complex passwords that are harder to crack, but now, GCHQ is advising "simplifying your approach".

"Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users," Ciaran Martin, Director General for Cyber Security at GCHQ, wrote in the introduction to the report.

"They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk."

Instead, companies should change default passwords to something new, reduce the number of passwords users need to remember by only using them when necessary, and consider using machine-generated passwords rather than letting people choose their own.

If you do let people set their own passwords, avoid "strength meters", which tell users their credential is too weak to use. "They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information, and repeating characters or common character strings)," the report said.

The report also suggested better locking down admin accounts and remote users, protectively monitoring for abnormal behaviour and never storing passwords as plain text.

"Every single user in the UK public sector has at least one (and most likely considerably more) work-related password," Martin said. "By simplifying your organisation's approach, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage."

Industry response

The advice was welcomed by some experts. Nigel Hawthorn, European spokesperson at cloud security company Skyhigh Networks, said the tips were "refreshingly to the point".

Hawthorn added that the ban on strength meters "seems smart" - even though it contradicts his own company's research.

"We analysed 12,000 cloud services and found that a whopping 80 percent would allow weak' passwords according to the traditional strength meter, but the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy forcomputers to guess."

Ross Brewer, vice president and managing director of international markets at LogRhythm, also welcomed some of the advice. "The ability to monitor user behaviour, particularly that of privileged users, is more important than ever," he said. "With the right systems in place, organisations are able to detect changes in patterns of behaviour in real-time and immediately identify when credentials are compromised."

However, he disputed the GCHQ's advice to companies to stop forcing employees to come up with new passwords every few months.

"While changing passwords every 60 or 90 days is a hassle for everyone involved, it does generally ensure that the credentials remain unique," he said.

"Compromised credentials are one of the top reasons for breaches and, while it isn't fool proof, regularly changing them may well stop a hacker in their tracks. What's more, it often takes businesses months to detect a breach, so GCHQ's recommendation that passwords be changed only if there are indicators of a compromise could leave the door open to hackers for a very long time."