back to article Stop resetting your passwords, says UK govt's spy network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. "In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected …

  1. Paul Crawford Silver badge

    There is some sense here, you want users to have long passwords to make them difficult to guess, but easy to remember. So saying "at least 16 characters, like a few words perhaps" and not requiring stupid ratios of punctuation, numbers, and case, is likely to get them using something different to other services, and to remember it instead of putting it on a post-it note.

    Also, of course, having a bozo filter to stop "Correct Horse Battery Staple", or even "password" or "12345" and similar being used N times to fit the minimum limit...

  2. swschrad

    the real issue is GCHQ is too busy to keep guessing your new ones

    so keep using strings of cuss words, and shift-right one letter every 30 days.

  3. werdsmith Silver badge

    Re: the real issue is GCHQ is too busy to keep guessing your new ones

    I know that most people in this network where passwords last 6 weeks, just append a number onto the same word and increment it when the change is forced.

    I'm up to 38.

  4. WatAWorld

    No words in any language

    It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.

    To be effective against modern cracking software, passwords must not contain within them words in any language.

    So we should be asking users to remember truly random strings of over 12 characters.

  5. CaptainHook

    Re: No words in any language

    It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.


    There are what, around 70 different symbols which are routinely allowed in password (upper/lowercase characters, digits, a few other ASCII characters). Even if you allow the full printable ASCII character set you only have 95 symbols which can be chosen from.

    But if you use truly random words from say the Oxford English dictionary, that allows for ~171,000 different symbols.

    A string of 8 random words, even without special characters injected in random places is multiple orders of magnitude greater than an 8 character ASCII password to brute force and much easier for a human to type in because all the characters are easy to find on a keyboard.

    The problem with words as passwords is that they are usually not chosen at random.

  6. IdeaForecasting

    Re: No words in any language

    Nonsense. with a password 'hello hot world trees' where would your 'position' the word 'hot' to crack this password? and what would you use to fill the gap between the other words in the password?

    The reality of this kind of crack would require ALL the words AND spaces to be in the correct order to work?

  7. Anonymous Coward
    Anonymous Coward

    Re: the real issue is GCHQ is too busy to keep guessing your new ones

    I'm currently approaching 100 for some. I've just had the 90 expiry reminder at work. I have 12 systems to change, even the companies own products and internal systems have different logins and password rules, so the base word + increment is one way of staying sane and not getting locked out.

    Yesterday I had to sign in to the ADATA website to get access to the cloning software for one of their SSD drives. They thoughtfully confirmed my account with an email containing the plain text password I had just created. There really is no point regularly changing the locks on the doors if there's a big window open right next them.

  8. Sixtysix
    Black Helicopters

    It's a trap...

    The ONLY reason they don't want passwords changed regularly is so their database od cracked passwords doesn't have to be re-cracked every 30/40/... days.

    Whilst I don't think CESG will be interested in ANYTHING I use/type/mail at my work (and have a far simpler way of accessing), I'd be *very* surprised if my personal addresses/accounts have not crossed their automated tracking: as Snowdon clarified they do try to watch *everything* on the interwebs after all!

    The boredom of the content thereof is irrelevant: because my "stuff" is visible, they can hone in on drug dealers, terrorists and enemies of the state: we all know how "much" they use encryption and strong passwords eh? Right. Also, and more worryingly, they'll be able to home in on the genuine freedom fighters, oppressed peoples, press leakers, journalists and other folks validly trying to prevent their life/rights/privicy from being trampled.

    I strongly believe we who know how owe it to everyone to work against "Big Brother". ENSURE that passwords are changed often enough to ensure they have to work for their intelligence, and can't snoop at will due to lazy password security. ENSURE that we implement adequate security on our own machines and gateways, and where possible onto those machines that we can influence.

    And for those tempted to use pen a paper: DON'T. Get/make yourself a good password "system" (or a good app) and stick to it while changing important passwords regularly.

  9. Black Betty

    Re: No words in any language

    As a general rule no white-space allowed.

  10. zerowaitstate

    Re: No words in any language

    That's not exactly true. For a single character, the guesser has a probability distribution over roughly 100 symbols. There are many more words in the English language, so the probability distribution is over a much larger set. It's certainly smaller that the set of permutations of all characters that make up the word, but it's bigger than a single character, by a lot. The human brain is better at remembering words than single characters, so why not leverage that? It's only a problem if you limit the length of passwords to a small number of characters (which some systems stupidly do) or you use a password quality check that only takes into account simple things like number and type of characters typed.

    I think the point they're making here is that there are so many out-of-band ways of circumventing passwords now (due to the difficulty in remembering them), that fewer hackers are going to bother with brute-forcing hashes from a table dump, when they can just request your credit history and marketing report and use those to answer your "security questions".

    Also, Bruce Schneier pointed out that if a hacker gains access to an account, they'll use it immediately for bad things, so the 90 day window doesn't help limit the damage, either.

  11. Anonymous Coward
    Anonymous Coward

    Re: No words in any language

    I've used welsh language passwords for ages and never had a lick of trouble - on the odd occasion when I've had to document them for admin purposes the usual comments is, WTF!

  12. keithpeter

    Re: No words in any language

    Schneier's method still OK?

    Or how about a sentence used in a Playfair cypher grid for *really* important systems that are actually at risk of attack (i.e. I suppose accessed over the public Internet)? I could remember an appropriate sentence and then re-encypher it to generate the password before typing in my credentials - takes a minute. Burn the scrap paper afterwards :-)

    Coat: mine's the one with the tape recorder in the pocket and the lapel camera.

  13. Amos1

    Re: No words in any language

    How long have you worked at GCHQ? Isn't the real reason for this "advice" because it makes your job too hard when the old password no longer work?

  14. Yag

    Re: the real issue is GCHQ is too busy to keep guessing your new ones

    10 here, I sometime reset the counter to fool an eventual intruder.

    (hard to choose between "trollface" and "joke" icons)

  15. FlippingGerman

    Re: No words in any language

    I use a simple script I wrote myself, that simply generates random passphrases. Five (cryptographically secure, which is probably unnecessary) random words from a list of 40,000.

    That beats your 12 characters in complexity any day, and is far easier to remember. Something like 76 bits of entropy. Note that I do have some idea how password guessing works, having done it quite a bit for fun fairly recently.

    >>> 26**12


    >>> 40000**5


  16. Ellis Birt 1

    Re: the real issue is GCHQ is too busy to keep guessing your new ones

    While CESG are located in the GCHQ complex in Cheltenham, their role is to advise the rest of Government on information systems security.

    So this advice was issued to government departments and published for the convenience of the wider audience.

    They are not the first to make this suggestion and they will not be the last. Passwords are an imperfect security mechanism for protecting against all but a casual miscreant.

    It is better to physically secure your offices (and that Cat 5 between buildings) and use more secure access controls like two-factor authentication when remote access is necessary.

  17. hellwig Silver badge

    Too Many bad Movies

    I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".

    They seem to think that the longer a password is in use, the easier it is to guess. For brute-force methods, there are other ways to prevent that (login delays, maximum attempts, etc...).

    Personally, when I'm forced to periodically change my passwords, I put in a single character or digit I can rotate. Doesn't make my password more or less secure, it just means every few weeks I log in and forget I had to change that one character. The only added "security" of this system would be password getting out of synch (e.g. one site using 'password1' when a different site forced me to move to 'password2').

    Most password issues probably arise from fishing attempts or hacking databases storing unhashed passwords. Shouldn't we be more concerned with user education, password strength, and system security than rotating passwords?

  18. VinceH Silver badge

    Re: Too Many bad Movies

    'I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".'

    Yeah - in the world of Hollywood, the function that is called to test a password that has been input is actually the guess checking function from the game of Mastermind.

  19. Tomato42 Silver badge

    Re: Too Many bad Movies

    passwords are more likely to be guessed the more they are used; but it is offset very easily by making it longer

    the original advice of the 30-day lifetime of a password assumed a fairly simple password (essentially a single word selected uniformly at random from greatly reduced English dictionary), double the password (use two words) and the 30 days suddenly become 80 years at the same level of security

    oh, and another thing often forgot: the original advice included mandatory rate limiting on incorrect logon attempts

  20. jonathanb Silver badge

    Re: Too Many bad Movies

    I use [password_string]may16. Next month it will be [password_string]jun16.

  21. veti Silver badge

    Re: Too Many bad Movies

    I'm required to change a password every month, for a service that only allows limited length passwords (10 characters, I think, is the maximum), and has other (undocumented, naturally) limitations about what characters you can use.

    When they first issue a new user with their first password, it's by default set to "day+date", e.g. "Friday06".

    No prizes for guessing how I choose my new password each month. And I'm prepared to bet, 90% of users of this particular service do the same thing.

    Security? Don't make me laugh.

  22. werdsmith Silver badge

    Re: Too Many bad Movies

    "I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies.

    Or because Password Policy is built into the software, whether that be Active Directory, LDAP, Oracle or SQL Server or whatever, password expiration is often a checkbox on the account details.

    If it's there then the security audit people expect it to be used. I've had some discussions with the security people about non-expiring passwords because they don't understand that a non-user account (like one that is used for a Window Service) should not be on the auto-expiring password policy.

  23. Sproggit

    Re: Too Many bad Movies

    With specific reference to your comments regarding defense against brute force attacks... Maximum attempt limits are a great way to allow an attacker to perform a denial of service attack against the your legitimate users. And to those who are reading this and thinking that they would simply include an ever-increasing retry delay to thwart automation of this attack: remember that likely 90% of existing authentication platforms out there simply don't have that functionality... So good luck with adopting that as protection for ooh, say, your platform administration accounts...

  24. WatAWorld

    Re: Too Many bad Movies

    It used to be 8 characters was the limit.

    A previous poster suggested words from a greatly reduced dictionary.

    I don't recall words being advocated in the IBM and Univac worlds I worked in back then.

    Even back in the 1970s a mix of numbers and letters was encouraged. But there was that 8 character limit and the 30 day duration, supposedly based on the duration that would make it too likely someone would be able to brute force the password by typing.

  25. blcollier

    Best password advice I ever had?

    Generate one extremely secure (and, preferably, long) passphrase and use that as your "master". Then use a password manager to generate and store random passwords for everything that you don't consider to be a high risk (someone posting crap on my facebook account is different to someone siphoning money from my bank account) and encrypt this database using your master passphrase. For anything high-risk use your master passphrase. And use two-factor authentication where possible.

    I used DiceWare to generate a 7-word master passphrase. Ought to be good enough for a few years yet.

  26. moiety

    Re: Best password advice I ever had?

    I use an oldish tree-style app called Keynote file, portable app and it's encrypted if you tell it to be. Keep the link and other account bits together; and only using your internal links proofs you against phishing too.

    Looking for a Linux replacement if anyone has any ideas. Encrypted, definitely; tree-style with tabs would be favourite.

  27. BenDwire

    Re: Best password advice I ever had?

    Have you looked at NoteCase Pro? I've been using it since I ran Linux on my Zaurus (!) and now use it with Debian, Windows & Android. Encrypted, portable & cross platform. OK, so it costs a few beers, but it's under constant development. Worth it, in my view.

  28. moiety

    Re: Best password advice I ever had?

    That's exactly the sort of thing; but 67 euros is a bit more than I envisioned paying. Will definitely keep it in mind as a fallback option though. Thanks.

  29. Palpy

    Re: Best password advice I ever had?

    KeePassX for Linux? Used it for quite awhile. The db(s) are external to the application, though, so it's not a single file. Cross-platform and free.

  30. moiety

    Re: Best password advice I ever had?

    Dedicated password managers make me a bit nervous for some reason. There been issues with a few of them; and they all have more system integration than I'm really comfortable with. I'm probably almost alone in this; but convenience is not that high a priority for me. I'm more interested in ease of recovery and encryption in case my work machine gets nicked.

    Plus, after working that way for quite a while now I've really come to like the tree view way of doing things...I have a per-client tab with a tree of notes underneath that; with each note containing whatever I need to know about that service....means I can find anything in real-time while talking on the phone and have everything I need to know in front of my eyes before I've finished the sentence, just about. Then, I copy the password, click the link and remember the username and I'm logged into the relevant bit by the end of the next sentence. Makes you look efficient (no mean feat in my case).

    Keynote NF also has alarms you can set for a particular date; which comes in handy from time to time.

  31. werdsmith Silver badge

    Re: Best password advice I ever had?

    I use a formula, a secret and complex formula but I only have to remember the formula.

    The formula uses cues from the context of the login to construct a password, so it is always unique to that whatever service I'm logging into. If I forget the password, then I can just reconstruct it from the formula.

  32. Anonymous Coward
    Anonymous Coward

    Re: Best password advice I ever had?

    > the tree view way of doing things

    Maybe would work for you (although it's a CLI tool so no tabs). The tree of passwords is just a directory tree, one file per password, where each file is GPG-encrypted.

    Example use:

    pass -c shop/amazon

    prompts me for my GPG passphrase, decrypts the password in the first line of that file, and puts it on the clipboard for 45 seconds before removing it again.

    Subsequent lines of that file can be used to store anything you like in free text (e.g. username, account number, password recovery secrets etc)

    You can synchronize it using whatever filesystem sync tool you like (dropbox, syncthing etc) or as a git repo.

  33. Sixtysix

    Re: Best password advice I ever had?

    "I use a formula, a secret and complex formula but I only have to remember the formula."

    "The formula uses cues from the context of the login to construct a password, so ...I can just reconstruct it..."

    Sounds like me for most web logins: the only issue I have relates to the fact that some sites have nasty rules (no repeating characters) don't allow some symbols (*) or insist on lengths that do work (7<pasword>12), so I have alternates - sometimes takes three passes to work out what variant I'm coping with!

    For banking and email I stick to more secure hashes from KeyPass.

  34. Jelder

    Re: Best password advice I ever had?

    I tried that for a little while, but in too many cases ran across problems with my chosen system:

    Systems with min/max/character requirements that blocked the 'generated' password

    Systems that required changing regularly (no way to change without using a different formula)

    Once, a change in the URL

    I gave up and now use a random string generator and a secure way of saving them, but it's no use when I'm not on my main PC.

  35. moiety

    Re: Best password advice I ever had?

    @AC - That one's simultaneously too complicated and too simple for me as I have lots of other people's passwords to cope with too. Also my memory is more visual (ie, stuffed) than that. Anything that involves me remembering what to search for is not going to last.

    And using the tree/note system you can keep all sorts of other stuff in there too...the login link; both for speed and as a phishing protection. Email address/pseudonym; complete false identity for obnoxiously intrusive sites that I need for some reason; and for client stuff a list of things I need to fix/amend/whatever.

  36. moiety

    Re: Best password advice I ever had?

    @BenDwire - I've been sniffing round NoteCase Pro all day...I really like the look of it; but 67 euros is a bit traumatic in my view. Got no use for OSX and I wouldn't really use it on Android (I don't log into anything with Android). So, I was reading through the docs in my best "You'll no be having a sale then?" mode and I noticed 2 things....firstly it comes with it's own built-in synch server. Secondly -something I should have noticed right away- there's a Raspberry Pi version! I think I'm sold.

    All that remains, I suppose *glum* is to cross the lava moat, swing across the scorpion pit; dodge the rolling boulders and crowbar my wallet open while dodging the poisoned arrows.

  37. harmjschoonhoven

    Re: Best password advice I ever had?

    I will never discuss passwords - full stop.

  38. John Smith 19 Gold badge

    So if you trust the security services with your passwords – and who out there doesn't?

    As Edward Snowden has demonstrated the answer is of course in the UK the answer is no one

  39. ZippedyDooDah

    Re: So if you trust the security services with your passwords – and who out there doesn't?


  40. Anonymous Coward
    Anonymous Coward

    "my's J R Hartley!

    It would be a big help to us if GCHQ could tell us some of their passwords so that we can compare them to our own and change them if need be.

  41. RFC822


    The main reason for changing passwords periodically is to reduce the window of opportunity during which a compromised password can be exploited.

    Of course, most compromised passwords will be used immediately after they have been compromised, so changing passwords every 30/60/90 days is pretty pointless. However, the user has to remember yet another password - and is quite likely to choose a less secure one in the haste to satisfy the password-reset requirement.

    Good to see some sensible advice being provided.

  42. Eddy Ito Silver badge

    Re: Pointless

    I'd also wager that most users who are forced to change their password regularly don't change it by much to make remembering that much easier. Chances are that if their current password is Password_3 the next one will be Password_4.

  43. Paul Crawford Silver badge

    Re: Pointless

    Exactly, so once per year would leave on average 6 months to do your business over! Pointless...

    However, changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.

  44. dajames Silver badge

    Re: Pointless

    ... changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.

    Shared passwords are a problem best avoided by not sharing passwords. Every user should have a unique ID and their own password, and shared permissions should be managed at the group level.

  45. Shart Tank

    If someone has compromised your computer and stolen your password. Changing your password is just going to give them an opportunity to also steal your new password.

  46. Anonymous Coward
    Anonymous Coward

    Just so. I have owned people that way, in my yoof.

  47. Aodhhan Bronze badge

    Good effing greif.

    A password policy which requires upper and lower case and 15+ characters long is all you need.

    Anyone can be taught how to put together a passphrase they can easily remember. Make it silly, make it gross, make it rhyme, etc. Put together words from your life, hobby, little league memories.









    Have to change it in 60 days? Put a twist on it, add numbers or characters. Reverse Caps, etc.


    Really Brits... even you can learn this. Hey, another easy to remember pass phrase.

  48. Seajay#

    Re: Good effing greif.

    The fewer password rules, the better. In your examples the requirement for mixed case only adds 1 bit of entropy but it adds hassle, so drop it.

  49. Rich 11 Silver badge

    Re: Good effing greif.

    Really Brits... even you can learn this.

    You're about 20 years too late, septic knob end.

  50. Adelio

    Re: Good effing greif.

    Fine when you only have one password to remember. but for the rest of the work where we have many company passwords and who only knows how many personal on-line account passwords.

    le me think

    Twitter, facebook, Google, yahoo, microsoft cloud, ebay, amazon, paypal, netflix, plus all you on-line bank accounts (I must have at least 10) etc, etc...

    A really big hassle to remember the passwords (and other security questions) all with different rules and expiry periods.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018