Stop resetting your passwords, says UK govt's spy network The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. "In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected …
There is some sense here, you want users to have long passwords to make them difficult to guess, but easy to remember. So saying "at least 16 characters, like a few words perhaps" and not requiring stupid ratios of punctuation, numbers, and case, is likely to get them using something different to other services, and to remember it instead of putting it on a post-it note.
Also, of course, having a bozo filter to stop "Correct Horse Battery Staple", or even "password" or "12345" and similar being used N times to fit the minimum limit...
I'm currently approaching 100 for some. I've just had the 90 expiry reminder at work. I have 12 systems to change, even the companies own products and internal systems have different logins and password rules, so the base word + increment is one way of staying sane and not getting locked out.
Yesterday I had to sign in to the ADATA website to get access to the cloning software for one of their SSD drives. They thoughtfully confirmed my account with an email containing the plain text password I had just created. There really is no point regularly changing the locks on the doors if there's a big window open right next them.
While CESG are located in the GCHQ complex in Cheltenham, their role is to advise the rest of Government on information systems security.
So this advice was issued to government departments and published for the convenience of the wider audience.
They are not the first to make this suggestion and they will not be the last. Passwords are an imperfect security mechanism for protecting against all but a casual miscreant.
It is better to physically secure your offices (and that Cat 5 between buildings) and use more secure access controls like two-factor authentication when remote access is necessary.
It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.
To be effective against modern cracking software, passwords must not contain within them words in any language.
So we should be asking users to remember truly random strings of over 12 characters.
It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.
*****
There are what, around 70 different symbols which are routinely allowed in password (upper/lowercase characters, digits, a few other ASCII characters). Even if you allow the full printable ASCII character set you only have 95 symbols which can be chosen from.
But if you use truly random words from say the Oxford English dictionary, that allows for ~171,000 different symbols.
A string of 8 random words, even without special characters injected in random places is multiple orders of magnitude greater than an 8 character ASCII password to brute force and much easier for a human to type in because all the characters are easy to find on a keyboard.
The problem with words as passwords is that they are usually not chosen at random.
Nonsense. with a password 'hello hot world trees' where would your 'position' the word 'hot' to crack this password? and what would you use to fill the gap between the other words in the password?
The reality of this kind of crack would require ALL the words AND spaces to be in the correct order to work?
That's not exactly true. For a single character, the guesser has a probability distribution over roughly 100 symbols. There are many more words in the English language, so the probability distribution is over a much larger set. It's certainly smaller that the set of permutations of all characters that make up the word, but it's bigger than a single character, by a lot. The human brain is better at remembering words than single characters, so why not leverage that? It's only a problem if you limit the length of passwords to a small number of characters (which some systems stupidly do) or you use a password quality check that only takes into account simple things like number and type of characters typed.
I think the point they're making here is that there are so many out-of-band ways of circumventing passwords now (due to the difficulty in remembering them), that fewer hackers are going to bother with brute-forcing hashes from a table dump, when they can just request your credit history and marketing report and use those to answer your "security questions".
Also, Bruce Schneier pointed out that if a hacker gains access to an account, they'll use it immediately for bad things, so the 90 day window doesn't help limit the damage, either.
Schneier's method still OK?
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
Or how about a sentence used in a Playfair cypher grid for *really* important systems that are actually at risk of attack (i.e. I suppose accessed over the public Internet)? I could remember an appropriate sentence and then re-encypher it to generate the password before typing in my credentials - takes a minute. Burn the scrap paper afterwards :-)
https://en.wikipedia.org/wiki/Playfair_cipher
Coat: mine's the one with the tape recorder in the pocket and the lapel camera.
I use a simple script I wrote myself, that simply generates random passphrases. Five (cryptographically secure, which is probably unnecessary) random words from a list of 40,000.
That beats your 12 characters in complexity any day, and is far easier to remember. Something like 76 bits of entropy. Note that I do have some idea how password guessing works, having done it quite a bit for fun fairly recently.
>>> 26**12
95428956661682176
>>> 40000**5
102400000000000000000000
The ONLY reason they don't want passwords changed regularly is so their database od cracked passwords doesn't have to be re-cracked every 30/40/... days.
Whilst I don't think CESG will be interested in ANYTHING I use/type/mail at my work (and have a far simpler way of accessing), I'd be *very* surprised if my personal addresses/accounts have not crossed their automated tracking: as Snowdon clarified they do try to watch *everything* on the interwebs after all!
The boredom of the content thereof is irrelevant: because my "stuff" is visible, they can hone in on drug dealers, terrorists and enemies of the state: we all know how "much" they use encryption and strong passwords eh? Right. Also, and more worryingly, they'll be able to home in on the genuine freedom fighters, oppressed peoples, press leakers, journalists and other folks validly trying to prevent their life/rights/privicy from being trampled.
I strongly believe we who know how owe it to everyone to work against "Big Brother". ENSURE that passwords are changed often enough to ensure they have to work for their intelligence, and can't snoop at will due to lazy password security. ENSURE that we implement adequate security on our own machines and gateways, and where possible onto those machines that we can influence.
And for those tempted to use pen a paper: DON'T. Get/make yourself a good password "system" (or a good app) and stick to it while changing important passwords regularly.
I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".
They seem to think that the longer a password is in use, the easier it is to guess. For brute-force methods, there are other ways to prevent that (login delays, maximum attempts, etc...).
Personally, when I'm forced to periodically change my passwords, I put in a single character or digit I can rotate. Doesn't make my password more or less secure, it just means every few weeks I log in and forget I had to change that one character. The only added "security" of this system would be password getting out of synch (e.g. one site using 'password1' when a different site forced me to move to 'password2').
Most password issues probably arise from fishing attempts or hacking databases storing unhashed passwords. Shouldn't we be more concerned with user education, password strength, and system security than rotating passwords?
'I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".'
Yeah - in the world of Hollywood, the function that is called to test a password that has been input is actually the guess checking function from the game of Mastermind.
passwords are more likely to be guessed the more they are used; but it is offset very easily by making it longer
the original advice of the 30-day lifetime of a password assumed a fairly simple password (essentially a single word selected uniformly at random from greatly reduced English dictionary), double the password (use two words) and the 30 days suddenly become 80 years at the same level of security
oh, and another thing often forgot: the original advice included mandatory rate limiting on incorrect logon attempts
I'm required to change a password every month, for a service that only allows limited length passwords (10 characters, I think, is the maximum), and has other (undocumented, naturally) limitations about what characters you can use.
When they first issue a new user with their first password, it's by default set to "day+date", e.g. "Friday06".
No prizes for guessing how I choose my new password each month. And I'm prepared to bet, 90% of users of this particular service do the same thing.
Security? Don't make me laugh.
It used to be 8 characters was the limit.
A previous poster suggested words from a greatly reduced dictionary.
I don't recall words being advocated in the IBM and Univac worlds I worked in back then.
Even back in the 1970s a mix of numbers and letters was encouraged. But there was that 8 character limit and the 30 day duration, supposedly based on the duration that would make it too likely someone would be able to brute force the password by typing.
"I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies.
Or because Password Policy is built into the software, whether that be Active Directory, LDAP, Oracle or SQL Server or whatever, password expiration is often a checkbox on the account details.
If it's there then the security audit people expect it to be used. I've had some discussions with the security people about non-expiring passwords because they don't understand that a non-user account (like one that is used for a Window Service) should not be on the auto-expiring password policy.
With specific reference to your comments regarding defense against brute force attacks... Maximum attempt limits are a great way to allow an attacker to perform a denial of service attack against the your legitimate users. And to those who are reading this and thinking that they would simply include an ever-increasing retry delay to thwart automation of this attack: remember that likely 90% of existing authentication platforms out there simply don't have that functionality... So good luck with adopting that as protection for ooh, say, your platform administration accounts...
Generate one extremely secure (and, preferably, long) passphrase and use that as your "master". Then use a password manager to generate and store random passwords for everything that you don't consider to be a high risk (someone posting crap on my facebook account is different to someone siphoning money from my bank account) and encrypt this database using your master passphrase. For anything high-risk use your master passphrase. And use two-factor authentication where possible.
I used DiceWare to generate a 7-word master passphrase. Ought to be good enough for a few years yet.
I use an oldish tree-style app called Keynote NF...one file, portable app and it's encrypted if you tell it to be. Keep the link and other account bits together; and only using your internal links proofs you against phishing too.
Looking for a Linux replacement if anyone has any ideas. Encrypted, definitely; tree-style with tabs would be favourite.
Have you looked at NoteCase Pro? I've been using it since I ran Linux on my Zaurus (!) and now use it with Debian, Windows & Android. Encrypted, portable & cross platform. OK, so it costs a few beers, but it's under constant development. Worth it, in my view.
@BenDwire - I've been sniffing round NoteCase Pro all day...I really like the look of it; but 67 euros is a bit traumatic in my view. Got no use for OSX and I wouldn't really use it on Android (I don't log into anything with Android). So, I was reading through the docs in my best "You'll no be having a sale then?" mode and I noticed 2 things....firstly it comes with it's own built-in synch server. Secondly -something I should have noticed right away- there's a Raspberry Pi version! I think I'm sold.
All that remains, I suppose *glum* is to cross the lava moat, swing across the scorpion pit; dodge the rolling boulders and crowbar my wallet open while dodging the poisoned arrows.
Dedicated password managers make me a bit nervous for some reason. There been issues with a few of them; and they all have more system integration than I'm really comfortable with. I'm probably almost alone in this; but convenience is not that high a priority for me. I'm more interested in ease of recovery and encryption in case my work machine gets nicked.
Plus, after working that way for quite a while now I've really come to like the tree view way of doing things...I have a per-client tab with a tree of notes underneath that; with each note containing whatever I need to know about that service....means I can find anything in real-time while talking on the phone and have everything I need to know in front of my eyes before I've finished the sentence, just about. Then, I copy the password, click the link and remember the username and I'm logged into the relevant bit by the end of the next sentence. Makes you look efficient (no mean feat in my case).
Keynote NF also has alarms you can set for a particular date; which comes in handy from time to time.
I use a formula, a secret and complex formula but I only have to remember the formula.
The formula uses cues from the context of the login to construct a password, so it is always unique to that whatever service I'm logging into. If I forget the password, then I can just reconstruct it from the formula.
"I use a formula, a secret and complex formula but I only have to remember the formula."
"The formula uses cues from the context of the login to construct a password, so ...I can just reconstruct it..."
Sounds like me for most web logins: the only issue I have relates to the fact that some sites have nasty rules (no repeating characters) don't allow some symbols (*) or insist on lengths that do work (7<pasword>12), so I have alternates - sometimes takes three passes to work out what variant I'm coping with!
For banking and email I stick to more secure hashes from KeyPass.
I tried that for a little while, but in too many cases ran across problems with my chosen system:
Systems with min/max/character requirements that blocked the 'generated' password
Systems that required changing regularly (no way to change without using a different formula)
Once, a change in the URL
I gave up and now use a random string generator and a secure way of saving them, but it's no use when I'm not on my main PC.
@AC - That one's simultaneously too complicated and too simple for me as I have lots of other people's passwords to cope with too. Also my memory is more visual (ie, stuffed) than that. Anything that involves me remembering what to search for is not going to last.
And using the tree/note system you can keep all sorts of other stuff in there too...the login link; both for speed and as a phishing protection. Email address/pseudonym; complete false identity for obnoxiously intrusive sites that I need for some reason; and for client stuff a list of things I need to fix/amend/whatever.
> the tree view way of doing things
Maybe http://www.passwordstore.org/ would work for you (although it's a CLI tool so no tabs). The tree of passwords is just a directory tree, one file per password, where each file is GPG-encrypted.
Example use:
pass -c shop/amazon
prompts me for my GPG passphrase, decrypts the password in the first line of that file, and puts it on the clipboard for 45 seconds before removing it again.
Subsequent lines of that file can be used to store anything you like in free text (e.g. username, account number, password recovery secrets etc)
You can synchronize it using whatever filesystem sync tool you like (dropbox, syncthing etc) or as a git repo.
The main reason for changing passwords periodically is to reduce the window of opportunity during which a compromised password can be exploited.
Of course, most compromised passwords will be used immediately after they have been compromised, so changing passwords every 30/60/90 days is pretty pointless. However, the user has to remember yet another password - and is quite likely to choose a less secure one in the haste to satisfy the password-reset requirement.
Good to see some sensible advice being provided.
Exactly, so once per year would leave on average 6 months to do your business over! Pointless...
However, changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.
... changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.
Shared passwords are a problem best avoided by not sharing passwords. Every user should have a unique ID and their own password, and shared permissions should be managed at the group level.
A password policy which requires upper and lower case and 15+ characters long is all you need.
Anyone can be taught how to put together a passphrase they can easily remember. Make it silly, make it gross, make it rhyme, etc. Put together words from your life, hobby, little league memories.
iPlayedShortstop4years
BiebsDrivesFastCars
TomCruiseCouchJumper
MyNeighborHatesDogs
MyDaughterThinksShesGod
YellowCarsAreSoUgly
MyBossHazaLittleWinkie
PriusDriversScareMe
Have to change it in 60 days? Put a twist on it, add numbers or characters. Reverse Caps, etc.
!!TomCruiseCouchJumper@@
Really Brits... even you can learn this. Hey, another easy to remember pass phrase.
@Tom
That would be true if people were creating completely random strings. If, as is suggested, they use a sentence and either capitalise or not the first letter of each word, that's only 1 bit. In fact if you force mixed case on them then they will always capitalise the first letters so your rule has actually reduced the password space.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
