Life was so much easier when all we had to remember was a 4 figure PIN to get money from the cashpoint machine. Nowadays we need passwords for almost everything we do online and most people have many accounts and registrations that require passwords, which we are meant to remember – it’s enough to give you a headache.
We are told by every budding security geek that our passwords need to be strong or complex, that they should be at least so many characters long, that we shouldn’t re-use them, that we shouldn’t write them down, that we should change them regularly, that we should… STOP – rewind that last bit… We are now being told we don’t have to change passwords regularly – HOORAH!
CESG’s updated guidance on passwords
This revelation was included in new guidance on passwords published by CESG in 2015 “Password Guidance: Simplifying Your Approach”, although it does point out that ‘It is not intended to protect high value individuals using public services’.
There was a lot of good guidance in the document as you would expect. The main eyebrow raiser was the change in thinking regarding forcing users to regularly change their passwords. CESG is now recommending that organisations do not force regular password expiry. This was unexpected and CESG recently decided to explain their thinking further.
A summary of the main reasons are:
- new chosen passwords will be very similar to the old one, so attackers can often work out the new password, if they have the old one;
- new chosen passwords will often be weaker than the old one, because it’s easier for the user to remember;
- the new password may be one that has been used for something else;
- a new password will probably be written down;
- a new password is more easily forgotten.
CESG is calling for improved password policies that place fewer demands on users. They put more onus on administrators to help lessen the burden on users and recommend the use of system monitoring tools to do this.
If this guidance is followed, from a user perspective, whilst they may not have to change account passwords as often as they used to, they will have to pay more attention when logging in so that they can check that there have been no unknown events such as failed login attempts or that the last recorded login was actually theirs. They will also need to have a quick and easy way for reporting any suspected issues.
Think it won’t happen to you?
If you think your passwords are safe – or that other people’s password misfortune won’t happen to you – you could be in for a nasty surprise.
This infographic from CESG is featured in their password guidance. We think it shows just how easy it is to have your password stolen – so we’ve included it in this article. Cyber criminals use a number of password hacking techniques, some sophisticated – some just plain guesswork.
Crown Copyright 2015
In conclusion
CESG’s recent guidance is definitely a positive step in the right direction for the user although arguably a very small one. Unfortunately we still have to remember the same number of difficult to remember passwords, so not much has changed in reality. The demise of the password was predicted some time ago but it doesn’t look like the headache is going away anytime soon.
If you haven’t had enough of passwords and want some other ideas on how to create ones that are strong and memorable, please see these articles from the Ascentor blog:
How to Create Strong, Memorable Passwords that are Difficult to Crack
How to Create Strong, Memorable Passwords that are REALLY Difficult to Crack
Now, pass me the Aspirin!
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of IA and cyber security, please contact Dave James at Ascentor.
Email: info@ascentor.co.uk
Office: 01452 881712
Web: www.ascentor.co.uk
Other posts you might like
An ounce of prevention could be worth a ton of cyber attack cure
Ransomware – Back up or Pay up
Ten Top Tips for writing Information Risk Appetite Statements
