back to article Stop resetting your passwords, says UK govt's spy network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. "In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected …

FAIL

@ Seajay# Re: Good effing greif.

The only way that requiring mixed case can add only one bit of entropy is that the maximum password length is 2 characters. So I guess I wouldn't allow you to have any influence at all on any of my security policy.

0
0

Re: @ Seajay# Good effing greif.

@Tom

That would be true if people were creating completely random strings. If, as is suggested, they use a sentence and either capitalise or not the first letter of each word, that's only 1 bit. In fact if you force mixed case on them then they will always capitalise the first letters so your rule has actually reduced the password space.

0
0

My work organization forces us to change passwords every 90 days. It also enforces rules that make tend to make the passwords we use hard to remember, forcing limits on character reuse, sequences, and requirements for special characters. It also won't let us reuse any of our past *ten* passwords, and it can tell if you are just making small adjustments. Password_1 going to Password_2 won't fly.

I sort of see the point. It is, after all, the password associated with our core corporate identity. We use it to sign in to just about everything, often including systems where we have privileged access. So nicking the password of the right people would be very powerful. Still, even half of 90 days is a long time to have someone's password, and most of the ways of getting it (malware installed via phishing) would probably be able to get the new one even if it was reset.

We can't install our own software on our PCs (for good reason) and there's no company package for a password manager. (There ought to be, IMO.)

I ended up finding a password pattern that I could memorize (through mnemonics) that met the password requirements. I also figured out how to mutate it very slightly each time I have to update it in a way which passes the history limits and is easy for me to keep track of.

I honestly have no idea what most people at my company do to manage their passwords. I'd bet money an awful lot of them write them down. Some I know are probably smart enough to use good password managers on their personal phones.

2
1
Silver badge

"and it can tell if you are just making small adjustments. Password_1 going to Password_2 won't fly"

Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

13
1
gv

Unless you have an elephantine memory, the "ten" passwords rule kind of forces you to write down the previous passwords just to cut down the time required when typing in the new password.

3
1

"Doesn't this mean that they are storing previous passwords in plaintext?"

In a word, no.

You enter "Password_4".

System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist.

10
0
Silver badge
Happy

@zanshin

My employer has a similar 90 day policy.

I find it easiest to keep the first half of the password constant and the second half the name something current to me.

I ran through work/rest/play as the 2nd half over most of 1 year, closed out the year with mars....

I've found I can revert to the start of the password list every time I get a new laptop though so it must be local hashstore rather than at network level.

2
0
Bronze badge

Sixty day rule for me.

Apart from the system that is 30 days.

And the other one that is 89 and it's sister sytem that is 90.

I counted it up - 18 different passwords. Some of which are never changed. I used to try and change them all when the 30 day one was up to keep them in synch, but the rules are different and some can only be changed once a day (so if you get to system 7 and find your carefully chosen password is not permitted, system 6 can't be changed until tomorrow). Then they made them different lengths anyway.

Oh and they're all only accessible within a VPN...

PS there's no such thing as a secure password manager on a smartphone...

3
0
Silver badge

We use it to sign in to just about everything, often including systems where we have privileged access.

If your employer's passwords are regarded as so corplife-threatening as to need such an elaborate vetting process, why not ditch them altogether and switch to a 2FA system? Much more secure.

Its not as if the 2FA tokens are all that expensive (if they were, the banks wouldn't hand them out like candy) or even that new: the GMP were using 2FA logins back in the late '80s, so if plod can handle 2FA then any PHB should be able to get his head round it too.

1
0
Silver badge

"In a word, no.

You enter "Password_4".

System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

Good point, I didn't think about that. OK, ignore my statement.

1
1

@Joe 35 :

"...You enter "Password_4".

System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

A nice solution. Though I admit, I'd probably just switch to PasswordJan, PasswordFeb, etc.

0
0
Silver badge

Re: @zanshin

"I ran through work/rest/play as the 2nd half over most of 1 year, closed out the year with mars...."

Deep and fried for the start of the next year?

2
0
Silver badge

"if they were, the banks wouldn't hand them out like candy"

And about as effective in the case of the one I was given.

0
0
Anonymous Coward

45 days...

...and a ridiculously complicated set of rules for new passwords at one of my recent clients' organisation.

But: As long as you know anybody's username (surname and initials will do), you can just call helpdesk and ask them to reset your password. They will gladly tell you the new one over the phone right away.

2
0
Silver badge

@Joe 35 :

"...You enter "Password_4".

System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

A nice solution. Though I admit, I'd probably just switch to PasswordJan, PasswordFeb, etc.

It's not a good solution though is it? It reveals that the password hashes aren't salted which is crap, and if they were then this wouldn't work.

1
1
Anonymous Coward

> Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

Not *necessarily*. For example: when you set your original password, they could also hash 1000 different forbidden variations of that password and store those 1000 hashes.

Bet you they don't though :-)

But more importantly, some common authentication systems *require* the plaintext password to be stored server-side anyway: Kerberos (and hence Active Directory) is the main example. It's fundamental to how it works.

Sure, it's an obvious point of attack, but every system has points of attack - as long as you know where those points of attack are you can take the appropriate precautions. And if your authentication server is compromised, you are toast anyway.

1
0
Anonymous Coward

> It's not a good solution though is it? It reveals that the password hashes aren't salted which is crap, and if they were then this wouldn't work.

Looks like somebody doesn't know how password salts work.

The password salt is itself stored in the password file - in plain text. If it weren't, it would be impossible to verify a password by comparing

hash(salt + presented password) = stored_hash = hash(salt + original password)

1
0
Roo
Silver badge

"Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no."

They don't have to store them in plain text, salted hashes will do.

0
1
Silver badge

> System sees last digit is a number, replaces that number with n-1, generates hash result...

Surely they just store the last 10 hashes?

0
1
Silver badge

Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

Not really. It means that the system has to store the previous passwords -- not necessarily in plain text -- but not the current password. If the system is successful in ensuring that the passwords are appreciably different then having access to the password history won't significantly compromise the current password.

The password history can be salted and stored using a key accessible only to the system -- or using (say) a hash of the current password -- so it needn't be easily attackable in any case.

0
0
Silver badge

You enter "Password_4".

System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example)

I seriously doubt that anyone would bother to code a check for such a specific incremental password change. The user could just as easily change Password_3 to pAssword_3 or Passwor_d3 or Password*3 or Qassword_3 or ...

No. If you're going to compare a putative new password against a list of old ones you need some way to recover those old passwords in clear. That doesn't mean that they have to be stored in clear, though.

0
0
Silver badge

The password salt is itself stored in the password file - in plain text. If it weren't, it would be impossible to verify a password by comparing

Exactly so.

The purpose of a salt is to ensure that if two different users coincidentally choose the same password they don't generate the same hash. There is no requirement that the salt be secret, just that it be different for each user. That prevents rainbow table attacks, among others.

0
0
Anonymous Coward

Does it cope with n+1 , going from password100 to password99, or password90 to 92, or adding a char at the end? Users always seem to find a way around these things.

0
0
Anonymous Coward

Similar with the company I work for.

What I have done is just add a number on the end of the password. The clever bit is that I do it in words. So eg. PasswordOne, PasswordTwo. The sneaky bit is that I do the numbers in a foreign language!

0
0
Anonymous Coward

There's also the old keyboard finger shift where Password_2 becomes {sddeptf+3. It's a simple matter of wrapping around when you get to one side of the keyboard or an illegal character.

0
0
Silver badge
Happy

Re: "Deep and fried for the start of the next year?"

Nah, I had moved into a Suzanne Vega phase by that point -

Blood

Makes

Noise

0
0

That would work but mostly they are not that sophisticated and simply compare the new password with that current one that you have to enter as part of the password change function.

0
0

12345

That's the combination for my luggage!

2
0
Thumb Up

Bruce Schneier

The security guru Bruce Schneier agrees that password changing is generally a bad idea.

As does Microsoft.

10
2

Re: Bruce Schneier

I think it was about 20 years ago that I first read the advice to pick a good password and stick with it, probably from Schneier. I think the length of a "good password" has probably increased since then, but I believe the principle is the same. Pick something you can remember that is hard for others to guess, whether by brute force or by picking at your life details. For passwords I control, I use a strong multiword passphrase from a generator if I want to be able to remember it at the keyboard, and randomly-generated strings in a cross-platform password manager for credentials I just want to be able to copy/paste. I turn on 2FA if it's available. I don't store passwords that I don't control in my manager, as I don't want that responsibility in the event my manager is somehow compromised. I read many analyses before picking a password manager program that had the features I want. I think I've achieved a balance of security and convenience that works for me.

(Note: I specifically am not commenting on which safe I use, since this is about security principles, not particular software implementations. Schneier wrote his own manager, and there are many others.)

1
0
Silver badge

Re: Bruce Schneier

So what do you use for passwords that you'll have to type into a phone (perhaps via a terminal app) ? Long, mixed-case passwords are especially difficult to type.

2
0
Silver badge

Re: Bruce Schneier

> Long, mixed-case passwords are especially difficult to type.

They also slow you down. It's worth choosing a password where the "difficult" (e.g. shift+letter) stuff is a single character at the start of the password. (There are plenty of unshifted symbols available for the rest of the password, after all.) Then you can type the rest of the password (relatively) quickly/easily.

0
0

Re: Bruce Schneier

Me, I never type any password into a phone for anything important.

But I use a password safe and good old copy'n'paste if I do need to type a password on my phone.

So despite the Reg's sarcasm, I actually think that the advice is sensible. I use 12-char randomly generated passwords and a password safe.

0
0
Gold badge

I'm quite good at remembering passwords, so this may not work for other people. But I pick themes. I have a simple password for sites like El Reg, where I don't particularly care if I get hacked. Although perhaps the pain of 1,000 downvotes when my hacker fills the site with campaign ads for Donald Trump will change my mind?

But when I was being forced to reset them for work regularly, I could pick the Persian Wars of the 5th Century BC. You've then got Platea, Thermopylae, Xerxes, Marathon to play with. Nice unusual letters, but obviously vulnerable to dictionary attacks. But I can remember the capitalisations and breaks introduced into the words to split them up once I've remember the word - and there's only a limited number of words to pick from. So I can remember what I've done, and it's easy to find a new password at short notice. Then pick a new historical event, or theme (say types of sportscar) - once you've mined the previous one.

I could use a password manager, but I don't trust them. They seem like a dangerous single point of failure to me. Two factor authentication on the bank and hope for the best.

0
1
Silver badge

I use different levels of password for different things.

The Reg:

Do they have my credit card? No.

Can someone take my account and wreak havoc with it? No.

Do I need trust The Reg to adequately secure their passwords with hashes, etc.? Yes.

So a level 2 password it is. Quite simple, not guessable, not especially onerous, and shared with other Level 2 sites.

When it comes to online banking, not a chance that's it a guessable password even if you knew my life in intimate detail (randomly generated string of characters from my own script, run a hundred times, one password chosen at random, memorised and then the list destroyed), shared only with sites that present exactly the same kind of hazard (e.g. PayPal with the same banking information plugged into it).

When it comes to rubbish untrusted forums that I had to sign up for to download a bit of freeware or whatever? Junk that even if compromised would only get you into junk of the same level anyway.

Once you have that set of passwords, it's then not hard to fathom - first time - what password you would have used based on the service you're trying to log into. And, worst case, a handful of guesses of the LOWER LEVELS (wouldn't try the banking passwords on what is just a forum, for instance, just in case it was being recorded) would get you there. And nothing of interest is shared with stuff likely to see compromise. And compromise on one gets you no more power on anything else with that same password.

Don't trust password manager software at all (even if I could write it myself, a person trying to implement their own encryption even using popular libraries is like someone trying to represent themselves in court - they have a fool for a client).

And two-factor anywhere that I can see the use of it (e.g. banking, a very expensive Steam account, Google services, etc.).

1
1

This post has been deleted by its author

Gold badge

Generating random passwords is easy. All you need is some combination that's not in the dictionary and is quite long. If someone's got a rainbow table for all passwords up to 20 characters long, then you're stuffed whatever you do - and however well generated it is. Otherwise it doesn't really matter, within reason.

Personally I'm unlikely to remember total randomness (or even an approximation of it). But a short, non-grammatical phrase with random capitalisation, the odd special character and words spelt wrong, mis-ordered and interrupted should be good enough.

0
0

This post has been deleted by its author

Anonymous Coward

It would be nice if we had a dedicated password manager device with little to no communication abilities (NFC at best). One of the most risky aspect about password managers is that you run the software on your potentially compromised computer. But a dedicated device that is practically off the grid with immutable operating system and encrypted password database along with its own user interface seems like it would be more secure.

0
0

P@ssword1

Next month P@ssword2

0
0
Big Brother

Schizoid tendencies at The Register?

It's a shame El Reg didn't apply this level of cynicism to yesterdays "Lets all go back to playing 'pretend NIST isn't an NSA front' again" "article" where it might have actually been warranted. Trying to make up for it today Reg?

http://www.theregister.co.uk/2016/05/04/nist_readies_postquantum_crypto_competition/

Need a schizoid tendencies icon -->

Poor old Snowden. "Burnt his life to the ground" for absolutely sweet FA.

2
2
Silver badge

Requisite "The Princess Bride" reference:

"It is inconceivable that..."

"I do not think that word means what you think it means."

3
0

"The idea behind automatically and regularly resetting your password is pretty obvious: it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers."

Yes, that's the *idea*. It's also completely idiotic.

The "achieved goals" are only the goals *intended* to be achieved. The policy in no way acts to ensure that those goals are *actually* achieved.

1. Historical password information rendered useless.

Not if the user is adopting some date related component with an otherwise fixed password. e.g. xxxxxxxxxAPR2016. If you have someone's historical password then you can easily predict what their current password might be - just change the date component until you hit pay-dirt. (Numeric components, just keep increasing the numbers or - if you have a particularly creative user - decreasing them)

2. Forces users to think periodically about security.

NO! You might like to THINK this is what is happening, but all it forces is an awareness that there is an annoying security policy. This in no way guarantees what thoughts that awareness will then result in. In most cases the thoughts will not be "Hmmm, now I must carefully devise a new, secure password". It will in most cases be "Goddamit not again". Followed by an entirely though-free process of mechanically applying the algorithm the user has devised to generate a new password that satisfies the policy with the minimum of effort on their part. After all, this is just something that is getting in the way of their doing the things they actually want and/or need to do and which they want to deal with as quickly as possible. Rigor and diligence are simply not a factor, let alone any really serious consideration of security.

3. Increases the likelihood that users will not use the same password on different services.

There might be SOME element of truth in this one, except that being forced to routinely change their password by one service, the chances are high that they will simply incorporate their "normal" password (the one they use on all the services that do not force them to change it) in the rotating password that they use for the ones that do. If the password reset cycles are not in sync this in turn further increases the likelihood that the variation they adopt will be some date based formula, since this allows a user to make a good guess at a forgotten password within the common "3 strikes" window of opportunity (the month they think they last changed their password then one.month either side).

4. Creates a moving target for hackers.

Wrong. This final "conclusion" is predicated on an idealistic scenario arising and the previous 3 goals all having been met because the user is aware and complying with the expected, ideal behaviour laid out in those 3 goals.

In reality the "moving target" is likely to be just a shuffling target. Barely moving at all (and worse: moving in a highly predictable fashion).

People are not cogs in a machine that will behave the way that the designers of the machine want.

27
1

Could not agree more. In fact any business which considers its security so crucial that permanent passwords are not acceptable, should not depend on passwords at all. Period. Token authentication or 2-factor authentication are far more secure and far less bothersome than passwords which need to be reset every x days.

4
0
Anonymous Coward

Its not unreasonable for someone to set a good password once or twice but if asked to do it every month it becomes a problem, and people are good at solving problems.

The only time passwords need to be changed regularly is if they are shared and you need to keep the pool of people who know it under control.

6
1
FAIL

You are a hacker's wet dream, every single one of you!

Are you saying you're an IT "pro" and you agree with this nonsense of single password, or other English dictionary words with some added "specials" on top? And you think that's secure, or you're a low-level target, so why bother setting a good password at all? Wow, pretty disappointed with what I'm reading here today from people who dare call themselves IT pros. Fucking disgraceful! Shame on the whole bloody lot of you! The hackers have won, and it's your own fault, you lazy stupid asshats.

Here's the real deal; this "advice" would have been better served up in 2005. If you're a IT "Pro", and you're not already using your own password generator, or using completely random strings... shame on you, idiot. Two factor when and where possible. Natch.

I guess to be fair you have a right to set your own security expectations lower, just like at your little site. Yes, your tiny brain hurts SO MUCH when you add that third password! Seriously, if you can't remember a few random strings, perhaps you need an easier job like a Starbucks Barista? Then you don't even have to remember your customer's name, you write it down and a fucking plastic cup. Then look up the recipe for the drinks you also can't remember... Hey, I just solved all your IT password problems! You're fucking welcome. Now, get the hell out of IT before someone who knows what their doing figures out that you don't. Bus wankers!

Don't bother replying, I'm already miles ahead of you by now, and I already know what you think, and it's not very clever. Just play catchup and see if you can spot my arse out in the distance in front of you...

2
28
Gold badge

Re: You are a hacker's wet dream, every single one of you!

"Seriously, if you can't remember a few random strings..."

Much as I regret replying to such obvious trolling, I feel strangely compelled to note that I have roughly 100 different passwords covering my various online activities. I have better things to do with my brain than remember that lot. If you don't, then you have my sympathy, but not much since you are clearly a bit of a sociopathic twat.

28
0
Silver badge

Re: You are a hacker's wet dream, every single one of you!

I don't think it's trolling, I think it's just a massive ego out of control

2
0
Roo
Silver badge
Windows

Re: You are a hacker's wet dream, every single one of you!

"Here's the real deal; this "advice" would have been better served up in 2005. If you're a IT "Pro", and you're not already using your own password generator, or using completely random strings... shame on you, idiot. Two factor when and where possible. Natch."

Sadly "completely random strings" are not possible on the majority of systems folks use, simply because of the ever-tightening constraints on what characters you can use in a password and the order they are in. Not only that but there are still a lot of systems out there that don't validate more than "n" characters of a passphrase anyway. :(

You really should get out more before deciding everyone is an idiot.

2
0
Anonymous Coward

I trust the spooks!

as much as I trust the government and the banks. It's a solid, permanent, unwavering, stable and constant level of trust that's every easy to remember due to its simplicity.

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018