back to article Stop resetting your passwords, says UK govt's spy network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. "In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected …


  1. israel_hands

    The advice is pretty sound, actually, even if I don't really trust the bastards giving it (stopped clocks and all that).

    Forcing people to change their password every, let's say, 90 days makes it more likely they'll just stick a number at the end and increment it, which means if you break it once, you can probably break it again when the user changes it.

    That gives a false sense of security, which weakens the overall system. And the forced-changes themselves add to that. If you're making users update their passwords it's because you think it's more secure. The thinking is that even if their password gets cracked thy intruder will only get a limited amount of time. In reality they get between 1 and 90 days, most likely somewhere in the middle. If you can find or do what you want within that sort of timeframe then you could probably never do it anyway.

    It's the illusion of security, which is a weak point, and it pisses users off which leads them to be sloppy and resent any of the security stuff they have to put up with.

    1. Anonymous Coward
      Anonymous Coward

      It gets worse, if the admin is so super paranoid they implement some way of making it very hard to simply have word+digit incremented the users will just keep it on a sticky note on their desk... or laptops, I've seen it on laptops.

      I've always been a fan of one off long passwords, or core long passwords with something either side of them.

      Funniest thing is when you come across a system that complains your password is too long.

    2. John F***ing Stepp

      When I was doing these things I would use a phrase of over 40 charactors, change that to '133t' speak, then reverse the whole thing.

      Were I to run servers again I would now do something different.

      (because that scheme is now public)

  2. DougS Silver badge

    I've been saying this for a decade

    This advice is from the 90s when password exploits were typically based on an attacker getting hold of the encrypted passwords and running crackers or rainbow tables against them. People weren't required to have good passwords back then so they were possible to crack.

    Once you started seeing the uppercase/lowercase/number/punctuation type rules enforcing better passwords the return on investment for grabbing encrypted passwords was greatly diminished (at least for ones that protect real stuff, sites like El Reg that don't require good passwords could still have them trivially cracked, but there's no gain for anyone cracking Reg commentard passwords)

    You can enforce some pretty nasty passwords if they know they are able to keep them forever, at least for several years instead of only 90 days. I've seen some places that required admin passwords be reset every THIRTY days. You are pretty much guaranteed that people will either write them down, cycle through a list of 'good' passwords they use at other places, or do something like HardPassword1234 HardPassword2345 etc. (I used the latter)

    It will take another decade before this obsolete advice of frequent password resets gets removed from 'common wisdom' and checklists of generic security audits, unfortunately.

    1. nijam

      Re: I've been saying this for a decade

      Only a decade? It's been obvious common-sense ever since the idiotic idea of frequent password changes started to creep into security policies.

  3. regadpellagru

    the problem with password change policy:

    is it dramatically weakens the ones of security aware people, and also weakens the ones of complete utter tools:

    - security aware people will have a complete random string, special chars, numbers, upper and lower case, no dictionnary word etc .... Forcing them to change it periodically will just make them force a common prefix and an incremental number after it, like in PASS01, PASS02, etc ... All of those with a very strong PASS. This is adding 0 security to those users and in fact decreases it, due to common prefix ... Retarded.

    - tools will generally try any dictionnary word they know + any number and largely write it down in order to retain it. Very low security, and largely lower security than if you allowed them their first/last girlfriend/boyfriend name. Retarded.

    All of this because of the argument of someone could have spotted the password above their shoulder, which rarely happens.

    I've always found those policies very detrimental to security. And this multiplies with big corporations having multiple ID systems and varying pass change period.

    Again, at the end, you end up putting them all in Excel.

  4. zsanfusa


    Quit being foolish. If changing pwds was a an easy crack then the Five Eyes wouldn't care! While your at it just go follow NSA's advice on encryption...

  5. Marketing Hack Silver badge

    GCHQ suggests not changing passwords!

    In other news the National Poultry Association promotes Thanksgiving as a great day for turkeys to "get away from it all"

  6. unbender

    Ironic (given the subject) that no one has recalled this nugget yet

    Passwords have been done to death, but as always xkcd has summarised it raterh well:

    1. David Nash Silver badge

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Actually "CorrectHorseBatteryStaple" was mentioned in the very first comment.

    2. The Vociferous Time Waster
      Thumb Up

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Thank you, I was beginning to think nobody would repost that XKCD. It's almost like we've all seen it a million times.

    3. The Vociferous Time Waster
      Thumb Up

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Thank you, I was beginning to think nobody would repost that XKCD. It's almost like we've all seen it a million times.

      Did you study the Alanis Nadine Morissette school of irony?

      1. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    Well I'm not security expert or anything, but with encrypted password databases, why is this even a problem? Not that you should solely rely on password databases, but if you forget, you can lookup your strong password. There's no reason you would need to have an easy password.

    As for the password database security itself. Keep five backup copies and doodle an inconspicuous strong database password down on a random piece of paper in your file cabinet. Set the database to use 2 million rounds or so and it takes a powerful computer 1 second per attempt.

    And it's not only password changing policies that drive me crazy. There's just so many sites and services to register for! I have 72 accounts (that I remember)! Some of them are extremely important, but I access them maybe once a year or more. Who could remember so many strong unique passwords or strong passwords for seldom-used services? And some of these sites have password-changing policies which makes it even worse. I'm sold on password databases. You can have strong passwords for every site and service.

    1. CJ_C


      Would you trust some corporation, likely American, so controlled under the useless Safe Harbor Agreement with your passwords, when their sole aim is to make money out of you? I will stick with paper, thanks.

  8. Stevie Silver badge


    Passwords would be much more secure if their use was tracked and compared with previous usage patterns, like credit cards are.

    Override out-of-band lockdown with a two-factor authentication and Bob' yer muvver's bruvver.

  9. Winkypop Silver badge


    Have we reached Peak Postit Note?

  10. Fascist Nation

    I hate to say they are correct but periodically forcing new passwords is BS. When y0ou do that y0ou make them easy to use affairs because you have to remember them. I'd rather use a password manager generating a long unique random ASCII sequence for every logon. Then all I need do is remember a long random master password.

    What I hate are websites that force me to use short uncomplicated passwords, will not allow cut and paste submissions (you try tying in a long series of ASCII), use weak crypto to secure the transaction, and for logons that may involve a cell phone you are forced to use a simple password because of the pain of typing it in on a phone and even the limited ASCII.

  11. Anonymous Coward
    Anonymous Coward

    Being careful, being simple.

    They always say "Don't Write Your Password Down!"

    They're scared, and rightly so, of the post-it note stuck to the monitor.

    But that is rather different from the notebook kept in a locked desk-drawer. Although, for some purposes, that might not be a good idea.

    Can password resets be the answer when the guy who authorises them fell under a bus?

    1. Ken Hagan Gold badge

      Re: They always say "Don't Write Your Password Down!"

      They are wrong. 7 billion potential attackers can't read your post-it note. (The locked drawer probably eliminates the others, as you point out, but for most domestic situations, the people with physical access to your drawers really *aren't* the threat.

  12. Oom Bryce

    Password Encrypter ?

    Faced with a gazillion dictionary attacks, I wrote a crappy Javascript program that converts easily remembered passwords into a string of garbage e.g. 1234 becomes =O*02ydeOo9k etc.

    You just cut and paste the encoded password. Anyhow, it works for me and my fellow admin.

    Obviously, I can't post the source code, but it works on the enigma machine principle.

  13. Arachnoid

    All very nice havin 2FA and password mangers till your secondary device or software stops working then what you stuffed.

    Rather than making employees comply with company policy regarding accessing equipment a much easier solution,we had a 2FA software fitted to the euipment log in screen.The problem was the engineers who needed to access said equipment sometimes have problems getting the 2FA software runiing to generate a password so couldnt fix any issues until that was working.It got so bad some of the 2FA systems were disabled.

    1. Ken-in-Houston

      The Wrong 2FA Solution?

      It just sounds to me like you were using the wrong 2 Factor Authentication solution.

      There are many out there, but I use Lass Pass: There is an encrypted store on my laptop, and one in the cloud. So, I can access the cloud when not at my pc, and I can utilize the local datastore when I cannot get online.

      For me, it works great and I would recommend it to everybody!

      1. Seajay#

        Re: The Wrong 2FA Solution?

        That doesn't sound like 2FA to me. That's a password manager, which is completely different.

        Lastpass allows you to use 2FA to log in but it isn't in itself a 2FA solution.

  14. WatAWorld

    Sysadmins won't like it?

    Sysadmins won't like it?

    Yeah, sysadmins won't like it because they used to be the only people not forced to change passwords -- they won't like it because everyone will have the same privilege.

    Some sysadmins.

  15. WatAWorld

    Some history

    Yeah, changing passwords on a monthly basis has not made sense in a long time.

    A bit of history. The original premise (as told to me in 1978 or so) was that passwords were 8 characters, true on IBM mainframes of the day. It would take a month to brute force the 8 character password. (Remember, a brute force attack back then meant a lot of manual typing.) So we mandated changing passwords once a month.

  16. WatAWorld

    What, no free GCHQ sponsored password registry?

    I'm a bit surprised the GCHQ and NSA haven't gotten together to create a free password registry/manager for people, a la LastPass.

    1. Ken-in-Houston

      Re: What, no free GCHQ sponsored password registry?

      Love me some LassPass!

  17. Anonymous Coward
    Anonymous Coward

    Changing passwords regularly

    Makes it easier for the admin or any other staff member to impersonate others as the password will be written down somewhere the user can get to on a Monday morning.

    This is from personal experience, the stuff nightmares are made of, you walk into a room and all the user credentials are posted on the monitor, in the first page of their workbook or on the desk/draw.

    Best one I saw was a user who would write his corporate username and password on the whiteboard facing his desk, that whiteboard was about eight feet from a ground floor window.

    The stupid it hurts.

    Don't get me started on the highest paid members of staff who think requests for passwords beyond a name or dictionary word once a decade is firing talk.

  18. Lee D Silver badge

    I work in schools.

    My first act upon taking on my most recent job, for a large prestigious prep school, was thus:

    - Stop the stupid automated 30-day "passwords must be reset" that generated dozens of calls every day as various people's password expired when they were off-site, so they couldn't log in remote, and wouldn't let them use any password they've used in the previous year resulting in - I kid you not - things like P4ssw0rdFeb2014.

    - Stop the stupid length restrictions on AD passwords and a few other services ("You must have a secure password but hey, you can't have one THAT secure"?!).

    - Actually implemented password retry limits on the remote desktop (Literally, WTF?!)

    - Encourage all staff to choose a handful of REALLY DECENT passwords on the promise that I wouldn't expire them literally before they got back from half-term.

    - Totally refuse to implement remote-password changing, which would have been at great expense both in money and security. You want to change your password? Come prove who you are to me rather than be some random IP on a web interface. Your password is compromised? TELL ME and I'll block everything from getting in as you, from email to access control, and then I can also check and have something to tell the Data Controller should access have been compromised.

    - Print out and display the relevant XKCD cartoon, especially emphasising the bottom part:

    - Once a term, stand up in the relevant staff meetings and say "Is it time to change your passwords?" and leave it at that.

    Instantly, much less crap passwords, no more Post-Its stuck to work-area monitors used by particular people, much less staff stress, much fewer helpdesk calls, zero compromises, no children guessing staff passwords, much more honest staff when they think they may have revealed their password (by typing into a spam email link or whatever) and the number of password resets just "because I've forgotten it" plummets even among the children.

    And the biggest complaint now? Their Apple IDs have onerous password requirements so a few of them have just changed one of their main passwords to be "Apple compliant" too.

    As the first act in a new job, it generated a lot of buzz, especially from my boss (the Data Controller). At that point I dug out the relevant word of law (part of which only says "regularly", not "frequently" - once a term is regularly, as is once every ten years) and copied in articles like this from a variety of sources.

    Number of queries of the policy since doing that, even from Data Controller, external audits, inspectors, governors, etc.? Zero. Reason I have the job? Last guy lost all their data, so they are crawling up my backside about everything from disaster recovery to remote compromise to cyber-blackmail to encrypting viruses. But radical password policy that means my users have more secure passwords and much less hassle? Zero.

    It does help that I'm a mathematician, though, I think, so I can literally explain brute force numbers in seconds in a way they can understand. Password compromise is something that isn't affected by the length and strength of your password, and that's infinitely more likely. And brute force is much more unlikely on a random English sentence with perfect spelling and grammar than some hard-to-remember, impossible-to-write-down concoction just to satisfy having numbers in it.

  19. 0laf Silver badge

    I'm quite happy to tell user to write down their passwords and store them in their wallet/purse. Just don't write down the whole password. Pick a character (£$%*& etc) shove that in there and remember where but don't write that bit in.

    Generally people take reasonable care of wallets and purses and even if it gets lost the restricted number of attempts will foil anyone trying to guess the password manually.

    Myself I build passwords from [word1][date of reset][word2]

    That followed on from a conversation with a pen tester where he outlined that it was very easy to break password hashes where a dictionary word had a number at the end.

    Breaking up a word or two words with a number or symbol made it far harder to crack.

    The advice from CESG follows the GDS mindset which is to place responsibility on end users. i.e. here you trust them by not enforcing password resets.

    But you are trustubng them to choose strong passwords, to care for those passwords and to monitor users within your environment.

    Reality is that a significant number of users are lazy shits that don't give a toss and will happily have crap passwords that don't change, write them down everywhere and the management will refuse to pay for the product or person needed to monitor users.

  20. Phil W

    Simple choices for complexity

    I often hear complaints from users, both where I work and elsewhere, about how much of a pain password complexity rules are and how difficult it is to come up a new password regularly.

    These complaints are annoying, not because the users don't appreciate the value of security but because using sufficiently complex passwords that are hard to guess and reasonably hard to brute force is actually not that difficult, unless you work in government or high profile business that's likely to come under a well resourced/state sponsored cyber attack you don't need a totally random sequence of numbers, letters and special characters as a password just one that moderately powered cracking won't break in a short amount of time.

    You can simply construct a password out of numbers and words that have meaning to you but are not related to the system the password is for and wouldn't be immediately obvious to others.

    For example the name and extension number of someone you call regularly at work, maybe your boss, might well be quite memorable giving something like Richard8417. While it would make a terrible password for work systems wouldn't be too bad for an unrelated personal email account or bank login. At work perhaps your father's date of birth and your mother's middle name giving you something like 2608Nancy.

    For an extra bit of complexity throw an exclamation mark, 2608!Nancy would be relatively difficult to crack but have significant meaning to you to make it memorable and unless the person trying to crack your work account has detailed personal background information on you to help the process along this should be secure enough.

    If you can remember them, post codes (zip codes) can be useful password components.

    Passwords made of memorable components can be secure enough for most purposes as long as you pick ones that have no relevance to the system the password is for or better yet are quite obscure, such as the phone number/post code of somewhere you used to work 10 years ago, or your old school, house you grew up in but haven't lived at for some time etc.

    This level of complexity, combined with a password lockout policy to prevent sustained brute force attacks, should be more than enough for most purposes.

    1. Pedigree-Pete Bronze badge

      Re: Simple choices for complexity

      I for one like old car reg numbers mine and my Dads going back decades. Chuck in a few !s and $ or £ if you prefer and Robert is indeed your Mothers brother. PP

  21. David Thomas

    Blame the user as usual

    Instead of continuing to blame the users, the industry should spend time and money developing proper security systems. Biometric are good but some dna or quantum approach would be better

  22. David Thomas

    Stop blaming the users

    GCHQ and the IT industry have a long history of blaming users for lapses in security. The industry needs to develop real security. Biometrics are a start but DNA or some quantum approach would be better.

    1. Phil W

      Re: Stop blaming the users

      DNA, fingerprints and other biometric security are actually terrible ideas. Entry level to mid level fingerprint scanners are unreliable, and prone to getting dirty and being inaccurate and/or are easy to fool, anything decent is expensive. DNA is impractical as with current technology and anything we're likely to have in the foreseeable future it would simply take to long to authenticate.

      Some fingerprint scanners can also be fooled with fingerprints copied onto paper or other material, do you know of any good mechanism for resetting your fingerprints once they've been compromised like you would with a password?

      Putting aside the practicalities of implementation for a moment, do you really want to secure valuable things using your DNA or fingerprints? If it's valuable enough you're just encouraging someone to remove your fingers or blood which is both bad for you and not terribly secure since fingers are far more easily broken than a complex password.

      Also at least with passwords you can either hand them over and potentially not be harmed, or lie to the person trying to get it from you (not necessarily a good idea but it's an option).

      Reliably extracting data from someone's mind is next to impossible, as much as the security services would like you to be believe torture (sorry, enhanced interrogation) is effective it often isn't and could easily lead to death before the correct information is retreived.

      As for a "quantum approach" , what form do you envision that taking? Sure quantum computing could open up some more advanced avenues of encryption but strength of encryption is rarely the main security issue these days, but the nature of the key used to unlock it whether that be a password/passphrase or physical key of some sort. These can all be cracked/lost/forgotten/stolen etc.

      The real future (and even present) of secure authentication is two (or higher) factor authentication, whether than be multiple code entries or physical factors like RFID/smartcards.

  23. MJI Silver badge

    When I got forced to change regularly

    At a previous job.

    I resorted to the Platform 5 book of passwords (OK loco spotting book)

    Started at Dreadnaught and worked up. If they needed numbers I would have added the 5 digit number

  24. NBCanuck


    At work we have a forced password reset on the network every three months, and I am guilty of using an incremental system most of the time, and only change the base password occasionally.

    That being said....

    I do have unique passwords for every single site I access. Passwords consist of a base password and something unique to each site. Base password is phrase along with special characters, caps and numbers. So if my phrase was "Hickory dickory dock, the mouse ran up the clock" I would use something like:


    No words, random, but not difficult to remember. Not a perfect solution but has worked for me.

  25. MrKrotos

    I have gotten in to the habit of checking if a new password I want to use is in rainbow tables before I use it.

    Way I see it, its the best test for bruteforce testing my password before use.

    Cant remember the rainbow table I use, but I do know it has the passwords lifted from many hacks (Sony included I think).

    Looking through the list of passwords can be a very interesting and eye opening experience!

  26. BrianT

    The obvious way to generate an easily remembered password which nobody is ever going to crack is to change your keyboard to something like Arabic or Kanji in your settings and then type in your easy to remember password (eg password01_&) and your password is guaranteed to be uncrackable gibberish.

    Of course that does depend on the service supporting Unicode.

    1. Rimpel

      I'm going to have fun typing that password on my phone...

  27. David Thomas

    Stop blaming the users

    The real issue is that the IT industry should devise some other means of security than forcing us to invent and remember increasingly ridiculous passwords which we have to change, apparently at the whim of power-crazed sysadmins. So why not devise an approach based on biometrics or dna or quantum mechanics. The present system is yet another example of the IT industry's distressing tendency to blame the users for its own failings.

  28. Ken 16 Silver badge

    Ideal password to defend against being forced to reveal it


    Useful against customs agents, police, muggers, kidnappers etc.

  29. Thomas 6

    Why do sysadmins know that the users are using weak passwords? If the passwords are visible in the clear then the sysadmins are not doing their job properly.

    1. Ken-in-Houston

      Mainframe and other legacy telnet apps have allowed sysadmins to have access to plain text password files. More modern apps (for the past 15 yrs) don't allow that.

    2. tom dial Silver badge

      Why do sysadmins know that the users are using weak passwords?

      They run straightforward brute force attacks or use rainbow tables on the hashed databases and examine the others. Either way they find a great many weak ones.

      And yes, some system developers (not mainly the admins, who don't control it) have thought for some reason that hashing or encrypting the passwords is unnecessary or too much work.

  30. MR J

    I have been in the back of several bank branches and can tell you their passwords are generally not that great, they put their passwords on sticky notes on the screen in case someone else needs to use the computers.

    A business will say that they want security, but they will do little to help the staff deliver on it, then that forces staff into situations where they are doing wrong just to make it through the day.

    I use basic throw-away passwords on many things, but it irks me how I can go to a site that will ask for a password and I will put in a 22 digit password that it rejects (8 digits are "words") due to not being secure enough, yet "FekY0u" will get a huge green tick and say "Thanks! for picking a secure password"

    Perhaps the truth here is all a bit more logical.

    They are finding that the rainbow tables are too big to store on a single USB stick that can be left on a train, so they are trying to get users to stop that from growing.

  31. Ken-in-Houston

    Use Password Manager S/W

    This advice is ridiculous.

    Any organization, even any individual, who is not using Password Management software is begging for problems. Use this software, auto-gen and rotate your passwords routinely and have them saved in this sort of app, and then use a single, complex password with multi-factor authentication to access your datastore. It doesn't get any better than this.

    1. jzl

      Re: Use Password Manager S/W

      "use a single, complex password with multi-factor authentication".

      This is what they're saying.

      Why is it good when you say it, but bad when they do?

  32. jzl

    Ad Hominem

    Advice stands on its own, independent of the giver. If it is good advice, it is good advice. If it is bad, likewise.

    This is good advice, regardless of who is speaking.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019