back to article GCHQ wants to set your passwords. In a good way

Britain's spy agency the GCHQ has changed its password security guidance in a new document offering sensible advice that, if followed, should harden systems and make life easier for admins and users. The guidance advocates a ban on password strength meters, mandatory resets, and predictable combinations, instead encouraging …

  1. Syd

    Someone Tell PCI

    Totally agree with all this; but others need to come on board with the same sense - in my case, PCI, which is the source of all the stupid requirements I've had to implement over the past few years, including all the "secure but actually insecure" things described above, like having to include punctuation and forcing a change of password every 6 months.

    1. -tim
      FAIL

      Re: Someone Tell PCI

      You might find the PCI requirement is 90 days so quarterly changes miss by a few days a year.

    2. Anonymous Coward
      Anonymous Coward

      Huh?

      "offers solid advice that admins should only dole out passwords where they are required and allowing the use of password storage lockers."

      So putting all your valuable eggs in one basket is your advice? Riiiiggghhhttttt...

      1. Gavin Ayling

        Re: Huh?

        Did you miss the point? Perhaps you should read the article before applying 'common-sense'.

  2. Anonymous Coward
    Anonymous Coward

    Cracks?

    If GCHQ recommends SHA 256 and PBKDF2, is this evidence that they've got good cracks for them?

    1. Anonymous Coward
      Big Brother

      Re: Cracks?

      Wot no WHIRLPOOL?

      ;o)

      Odd(?) that the five eyes' security services never advocate any hash function other than the US NSA's "NIST's (honest!)" slightly-less-obviously-fucked derivative rehashes of their totally fucked little MD5 ruse.

    2. Frumious Bandersnatch

      Re: Cracks?

      If GCHQ recommends SHA 256 and PBKDF2

      I just happened to be reading this article about hacking WPA/WPA2 on Tom's Hardware the other day. Though they didn't mention it by name, they describe PBKDF2 as using an iterative HMAC construction for protecting the key. As far as I know, there are no practical attacks against this, so the attacker is forced to use brute force. I would be extremely surprised if someone ever did manage to come up with any better attack since the construct effectively includes two one-way functions (the HMAC part and the chosen digest function). Plus, even if someone did find an attack that's better than brute force, increasing the number of rounds or alternating between two separate digest functions should make it secure again.

  3. tom dial Silver badge

    The advice described all is beneficial. However:

    Passwords sometimes are compromised. Periodic change cam limit, to a degree, the damage that results from that.

    Rate limiting is useful and certainly should be in place. However, on occasion hashed password files have been leaked, and entropy requirements, in addition to the obvious measure of blacklisting the popular ones like 1234567890, is useful in such cases in reducing the effectiveness of various attacks that process the entire file in hope of cracking a useful or profitable number of the passwords.

    1. Nick Kew

      It's a balance of harms. Whatever good periodic change might do has to be set against the harm of people who struggle with it. Not to mention consequences such as the risks of Password Reset processes, or the extra opportunities to try social engineering on a helpdesk fed up with problems of password reset.

      The sooner we can rid the world of passwords (as we know them today), the better.

      1. Primus Secundus Tertius

        Authenticate

        The easiest authentication is on the telephone:

        "Hi, its me!"

        "Oh hello, you, you know who I am."

        Once upon a time that was how the banks worked. Not now, except perhaps for millionaires.

    2. teebie

      Yes, forcing periodic password changes is useful if a password is compromised, but it makes users less likely to pick decent passwords, and makes passwords on post-its more likely (and annoys users).

      I'm not aware of definitive research, so I have always gone with my instinct which is not to force changes.

  4. djack

    Dooesn't quite work for me

    I don't agree with the "no mandatory changes" advice. They say to force a change when there has been a compromise. Without complex, time-consuming and expensive monitoring, most people are not going to be able to detect any sort of stealthy compromise. The point of regularly changing passwords is to limit the length of exposure due to an undetected compromise.

    Considering you can now do hardware 2FA for less than £30 a head for the lifetime of a key or even less with soft tokens on a mobile device, their time should be better devoted advocating 2FA rather than massaging the stinking corpse of password security.

    1. Anonymous Coward
      Unhappy

      Re: Dooesn't quite work for me

      "The point of regularly changing passwords is to limit the length of exposure due to an undetected compromise."

      I disagree, it's there purely to tick boxes and make feel better. After all if you cracked the first one, you can most likely guess the next one.

      Password1

      Password2

      Password3

      and so on.

      I bloody hate password resets, nothing but a PITA.

      1. Anonymous Coward
        Facepalm

        Re: Dooesn't quite work for me

        Yup. Unless passwords are properly randomly generated and assigned the whole (re)cycling fiasco is nothing but bloody inconvenient theatre. Sticking a "Beware of the leopard" notice on the login would probably be more securillusionifying.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dooesn't quite work for me

          And even then if they managed to get the password the first time there is a good chance they can use the same technique to get it the next time or if it is a crucial password then install something to allow them access sans password.

          The problem with regular password resets is that every password becomes less secure, they will be easy, guessable or insecurely stored. Far better to educate from the very beginning that a password should be long/strong and never told to anyone else - IT, your boss, your boss' wife etc. Always ensure the security of where you are typing it and always check last login details where available.

        2. Frumious Bandersnatch

          Re: Dooesn't quite work for me

          re: "securillusionifying"

          I actually tend to use made-up portmanteaux like that quite a bit. Usually easy to remember if you can combine some sort of pop or literary reference with the purpose of the site/password, but should be hard to guess and impossible to crack using dictionaries.

          Some totally made-up examples:

          * "furuikeyast" for a SUSE Linux box ("yast" is the trigger to remember the wordplay with the famous haiku)

          * "oblidobladon't" for Amazon (they have an "obidos" site, mashed up with a Beatles lyric)

          I guess if crosswords were your thing you could do something similar and come up with a cryptic reminder to yourself and even write down the clue.

    2. streaky

      Re: Dooesn't quite work for me

      Considering you can now do hardware 2FA for less than £30 a head for the lifetime of a key or even less with soft tokens on a mobile device, their time should be better devoted advocating 2FA rather than massaging the stinking corpse of password security.

      Yes this - you can actually do it for £12.99 or even as low as £4.99 if you want something less (physically) strong that you can snap in half in an emergency - and if they actually gave a toss they'd be advocating it.

      Rate limiting in web apps the way it's generally implemented generally is quite harmful to usability and it's no replacement for people using fairly strong passwords regardless.

    3. Robert Carnegie Silver badge
      Joke

      OK, set

      My password s now "hardware2FA", [*] I'm glad it is more secure but I don't understand why I have to pay to use it, or, how they know. Well, unless they read this.

      [*] I thought "pbkdf2" was o.k., is it too short?

  5. caffeine addict

    Every time we get a dump of passwords I mean to check how popular correcthorsebatterystaple is.

    To be honest, the biggest sin I can think of from developers is enforcing a *maximum* length on passwords. Maybe I'm missing something obvious, but the only reason I can think of is that they're storing passwords in cleartext somewhere and need to fit the string in a varchar(10) or similar. :/

    1. Anonymous Coward
      FAIL

      As many have said, password polices on the whole are shit.

      Some genuine ones I've had.

      Must be between 6 and 12 characters long (a Bank FFS)

      One uppercase and one number. Password1 is "strong" same when it come to 1 upper case and one special, so Password! is good to go.

      One upper, one number and one special, excluding +-/\()[]{}|£

      1. Loud Speaker

        My recommended password is:

        ";drop table users cascade;Commit;"

        Security great is!

        1. Kane
        2. davemcwish

          Recommended passwords

          @Loud Speaker You may also want to add Purge...

        3. Anonymous Coward
          Mushroom

          ;drop table wp_users; is all you need anymore. Just find an unpatched SQLi...

        4. Anonymous Coward
          Anonymous Coward

          Or...

          "cd /; grep -i H1;rm -fr ."

          so meets the Capitals and Numbers requirement

          Sadly the site I tried it on would not accept / or . or ;

          Numpties

          Don't they realise that NOT accepting punctuation increases the attack vector by a huge amount.

      2. trog-oz
        FAIL

        One uppercase and one number. Password1 is "strong" same when it come to 1 upper case and one special, so Password! is good to go.

        I have to change my disposable hotmail password the other day. "Password1" and "Password12" were disallowed - too insecure, but "letmein1" is fine!

        1. Anonymous Coward
          Anonymous Coward

          Stupid Building Societies

          User ID

          Password

          First pet

          Mother's maiden name

          Fist school.

          So you need at least 3 pieces of information to log on and if you have more than one account you are not supposed to reuse the data so you have to write this stuff down, so it’s no longer secure. Surely the best alternative is user id and password of at least 12 letters, an easily constructed phrase would be fine.

          1. This post has been deleted by its author

          2. Youngdog

            @oldgrumpy

            You don't remember the name of your first pet? What kind of monster are you!

            1. Anonymous Coward
              Anonymous Coward

              Re: @oldgrumpy

              >You don't remember the name of your first pet? What kind of monster are you!

              Some of these things are very transitory though, my first "pet" was a goldfish won at a fair it lasted about 2 hours, as such I typically use the name of my first cat which I sometimes forget I've done.

              Similarly my first school changed names while I was there, I was only there for 6 months before moving and has since changed names several times and the original name can be written in a number of ways.

              Then there's the "favourite colour" one. What kind of moron favours one colour over another? That gets a random response, meaning I basically have to write down the login details somewhere.

              1. Anonymous Coward
                Anonymous Coward

                Re: @oldgrumpy

                Look, I don't know whether you're being serious here or not, but...

                The answer you provide does not have to be the genuine answer to the question being asked. It just has to be good enough for you to remember it (and for the answer to be acceptable to The System).

                So if you tell Them that you first school was called Orange, and that your favourite colour was Vodafphone, and you can remember that... well, it might work.

                1. David Nash Silver badge

                  Re: @oldgrumpy

                  The answer you provide does not have to be the genuine answer to the question being asked. It just has to be good enough for you to remember it

                  True but if it's not true, I have even less chance of remembering it when I go to enter it 6 months later.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: @oldgrumpy

                    "I have even less chance of remembering it when I go to enter it 6 months later."

                    You can choose anything that's sufficiently memorable.

                    Car registration numbers work for some people. YMMV.

                    If nothing is sufficiently memorable, then you're a bit stuck. I know that feeling.

                2. Anonymous Coward
                  WTF?

                  Re: @oldgrumpy

                  I've gone so far as to use answers like:

                  2@$0%9hk^)nJ

                  for my first pet's name.

                  The better sites let you pick a question...

                  Q1: 529ab2-@=-7-%uxxxno(349*-zi862^20*%%5

                  A1: o$n8u$5L0e2q08^a55R4=b9x@t

              2. alain williams Silver badge

                Re: @oldgrumpy

                Do you mean to say that you tell the truth when asked these questions ? As far as some places where I have an account know my mother's maiden name is Boodica and I was born in Ursa Minor.

                1. ravenviz Silver badge
                  Facepalm

                  Re: @oldgrumpy

                  Hah, I've now logged in to your pornhub account!

              3. Quip

                Re: @oldgrumpy

                Well, 'Maiden Name', 'first pet' etc are just passwords. So never use the real name, someone could guess that. But then if I use a made-up name it shouldn't be the same for every site, so I need a list of 'Mothers Maiden Names'. So now I have a different mother for every site and I can't remember which without writing it down

            2. Allan George Dyer
              Facepalm

              Re: @oldgrumpy

              @Youngdog - "You don't remember the name of your first pet? What kind of monster are you!"

              I think the problem is not re-using the name of your first pet...

              "Well, first we called him Fluffy, but after two weeks we changed to Pooh and the next month it was Cerberus..."

          3. ravenviz Silver badge
            Trollface

            Re: Stupid Building Societies

            "Fist school"

            Not all of us went to borstal you know!

          4. Anonymous Coward
            Anonymous Coward

            Re: Stupid Building Societies

            Apple phones have a higher second hand value than android phones

            Why is writing down the password to my internet banking account, on a pad on my desk at home, making it less secure?

            Will Nork CyberHackers brute force my desk notepad to find out what the password is?

          5. Anonymous Coward
            Anonymous Coward

            Re: Stupid Building Societies

            you could always lie about your school and mothers name. After all these are probably a matter of public record. First pet is a bit harder to guess though.

            I have been lying about these for donkeys years. My current wheeze is to reverse the letters of my Grans maiden name. Thankfully it only has 6 letters.

            So up yours hackers.

            anon just in case.

    2. jonathan1

      I have to agree with the grumble about maximum password length on being imposed by sites.

      Especially after reading that XKCD thing on password length being more important that complexity. It inspired me to read a pretty good (its explained entrophy to me and I understood it) blog post on it which I think someone here linked.

      1. Youngdog

        @jonathan1

        Obligatory blah blah you know the drill

        https://xkcd.com/936/

        1. This post has been deleted by its author

          1. caffeine addict

            Re: @jonathan1

            If I had to choose between multiple correctbatteryhorsestaple passwords and entrusting all my passwords to a third party provider with unknown security and a single password governing access to _everything_, I know which I prefer.

            Password tools are (IMHO) just the same as allowing Facebook to be your login to everything...

    3. Anonymous Coward
      Anonymous Coward

      "Maximum password length"

      Like Microsoft who's account could get you into your company's crown jewels (TFS).

      Yet they only allow a maximum of 12 characters and if you previously had a longer password you had to just type the first 12 characters. What kind of storage were they using for their password??

    4. M man

      Like ms 365?

      When it told me the long but simple to remember password I had generated for a user was too long as 365 only supports SIXTEEN characters....

      Thank god for adfs

  6. MJI Silver badge

    Forced changed passwords

    I ended up finding a locomotive list and ran through a class of loco names.

    I had 50 ready to go! Starting at Dreadnaught

  7. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: "allowing the use of password storage lockers"

      And just how are you going to do that?

  8. Anonymous Coward
    Anonymous Coward

    Exactly

    I use very strong and unique passwords on all sites and keep them in a strong encrypted /local/ and backed up password store because it isn't practical to remember them all and not secure to store them on some cloud server, except pre-encrypted.

    All access passwords I am forced to change regularly to login to a machine have ended up shorter and weaker, because I got fed up trying to remember them, yet my home machine login, which I don't require changes for, is long and complex, so much more secure!

  9. Sil

    I don't understand why password meters should not be used, except to facilitate the cracking by intelligence agencies.

    It's really not asking too much for the user to devise or even better have a randomly generated strong password if their employer doesn't ask for regular changes and if very few work related password are needed. At the very least, test the password with a 10 000 word dictionary attack, not 10.

    1. John H Woods Silver badge

      "I don't understand why password meters should not be used, except to facilitate the cracking by intelligence agencies." --- SII

      I think it's just because they are crap -- see examples above. The only realistic way to check user-generated password complexity is to ensure that it's not on a list of known passwords. It might be possible to make a reasonable stab at guessing whether a given password is from a password manager though, by applying various tests of randomness.

  10. Anonymous Coward
    Anonymous Coward

    do not share passwords, ever

    I wish I could quote that to the plods when they ask nicely to gain access to my computer.

    1. lawndart

      Re: do not share passwords, ever

      "Sorry constable, I am unable to furnish you with my password as I am acting under instruction from GCHQ."

    2. Vic

      Re: do not share passwords, ever

      I wish I could quote that to the plods when they ask nicely to gain access to my computer.

      I wish I could quote it to my ex-boss who insisted I give him the root passwords[1] to machines he didn't own and had no business touching...

      Vic.

      [1] I refused. I don't work there any more. There might be a correlation somewhere...

  11. Velv
    Big Brother

    "Don't change your password" = "it's a pain in the arse every time we need to crack it, so the less you change your password the happier we'll be"

    1. Anonymous Coward
      Big Brother

      "...and if you use the same password on everything, we'll be able to spend the rest of our lives down the pub"

  12. Madeye

    What, no scrypt? Oh wait! It's advice from GCHQ

  13. WibbleMe

    Real World!

    You get a local butcher or shop fitter to remember this: jL1EjNx(co?Nz$b

    The whole concept of letters for passwords need to change you try getting some one out-side in the IT industry to remember a "strong" password they would rather jump off a cliff.

    How about instead offering SMS based authentication, Go-location checking and Fingerprint/Eye/Voice recognition instead.

    1. Infernoz Bronze badge
      FAIL

      Re: Real World!

      Anything you can't change quickly or ever, like SMS and Biometrics, are a very bad idea!

      1. Wensleydale Cheese

        Re: Real World!

        "Anything you can't change quickly or ever, like SMS and Biometrics, are a very bad idea!"

        SMS is also bad news for those of us who live or work in areas with poor phone reception.

        The requirement of a working phone with a fixed number brings the risk of a single point of failure.

    2. Anonymous Coward
      Anonymous Coward

      Re: Real World!

      Because I can change jL1EjNx(co?Nz$b next month to 3gM6g#n7gw, but you'll never change your fingerprints or eyes or voice *

      note: unless you have surgery, allergies or a cold**.

      note2: what happens if you set your voice password while you have a cold, will you have to get sick to authenticate?

    3. Mark #255

      Re: Real World!

      Regarding biometric data, they're akin to your username, not to a password.

    4. Anonymous Coward
      Anonymous Coward

      Re: Real World!

      Yeah, password authentication is crap. Strong passwords are impractical unless you use a password locker, which has its own weaknesses. Keyloggers are another problem for passwords.

      2FA and biometrics are far from universal. SSH keys are more like the right idea, but even if every stupid webapp supported that, I can't see most people keeping their keys secure and backed up. I haven't heard of any better ideas though.

  14. phil 27

    TL;DR; summary of what GCHQ really are saying:-

    Please, weaken your standards, your making our job more difficult than it should be.

  15. Sir Runcible Spoon

    Consonant Consonant Vowel Consonant

    That makes for a CRAP password.

    1. Frumious Bandersnatch

      Re: Consonant Consonant Vowel Consonant

      Keep your clothes on, Carol, I can't concentrate!

  16. Lars Silver badge
    Happy

    Nothing about people leaving

    With or without a smile.

  17. Jin

    Take the cognitive nature of our memory into account

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    Biometrics are password-dependent. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like