UK spy agency GCHQ has released a new advice document for organizations, urging them to simplify their password policies and dispense with strength meters in order to combat password overload.
The agency’s cybersecurity director general, Ciaran Martin, admitted in a new report – Password Guidance: Simplifying Your Approach – that the government’s previous guidance had been wrong.
It used to be that CESG advised organizations to require more complex passwords from their users.
“The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’. Worse still, the rules – even if followed – don't necessarily make your system more secure,” he argued.
“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”
With that in mind, the new document says firms can combat password overload via several steps: the first being to only implement passwords when absolutely needed, and to use single-sign on, password synchronization and other tools to reduce the burden on staff.
They should also provide a means to store passwords securely – whether physically or virtually, in a password manager or other system.
It adds that regular password changing is not effective, as compromised credentials are usually exploited immediately, so there should be no burden to change passwords unless a break-in is suspected.
Users should be able to reset passwords quickly, cheaply and easily, and simpler credentials are fine, GCHQ said, adding:
“Traditionally, organisations impose rules on the length and complexity of passwords. However, people then tend to use predictable strategies to generate passwords, so the security benefit is marginal while the user burden is high. The use of technical controls to defend against automated guessing attacks is far more effective than relying on users to generate (and remember) complex passwords.”
Technical controls could include account lock-out, throttling or protective monitoring, and blacklisting for common password choices.
These should be backed up with good user training, and password strength meters should be ditched as they just aren’t effective enough, the report claimed.
Nigel Hawthorn, EMEA marketing director at Skyhigh Networks, agreed with much of the GCHQ advice.
“GCHQ advocating a ban on strength meters may surprise some, but also seems smart,” he argued.
“We analyzed 12,000 cloud services and found that a whopping 80% would allow ‘weak’ passwords according to the traditional strength meter. But the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy for computers to guess.”
However, LogRhythm MD of international markets, Ross Brewer, warned that changing passwords only after a compromise has been detected might be tricky give the covert nature of attacks today.
“Compromised credentials are one of the top reasons for breaches and, while it isn’t fool proof, regularly changing them may well stop a hacker in their tracks,” he argued.
“There’s also the fact that changing passwords may, in fact, help identify someone illegally trying to access the network. If a user is repeatedly attempting to log-in with a now invalid password, it may indicate that something untoward is happening, and with the right security analytics tools in place, an attack could be thwarted.”