- Sputnik International
World
Get the latest news from around the world, live coverage, off-beat stories, features and analysis.

UK Spy Agency Urges Users to Make Easier Internet Passwords

© Flickr / Christiaan ColenWindows login screen
Windows login screen - Sputnik International
Subscribe
The UK spy agency GCHQ advises people to make their passwords less complex, contrary to its previous advice for internet users to add extra complexity in order to ward off attacks on security.

Flag of the Islamic State in the conflict zone - Sputnik International
E-Jihad: ISIL Affiliates Hack E-Mail Accounts of UK Cabinet Ministers
The UK intelligence agency GCHQ has published a report on internet security advising that fewer and less complex passwords should be used in order to increase security online, instead of adding more and varied characters in a bid to raise security.

"This proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users,"

GCHQ writes in the document, published in conjunction with the UK Center for Protection of National Infrastructure [CESG], a government agency which advises the UK's public sector organizations.

"Inevitably, users will devise their own coping mechanisms to cope with 'password overload.' This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies."

In an about-face from its previous guidance that encouraged system owners to add complexity in order to make passwords 'stronger,' the agency writes that "the abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to 'stay secure.'"

"An important way to minimize the password burden is to only implement passwords when they are really needed," states the report, which goes on to offer a series of recommendations for the management of internet safety.

Rather than enforcing requirements for users to come up with complex character sets, it is more prudent to use technical controls such as account lockouts or throttling to defend against automated guessing attacks, says GCHQ.

"Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience," the report cautions, and advises giving the user ten attempts to type the right password before the account is locked, which "gives a good balance between security and usability." 

Online security - Sputnik International
Snowden Docs: GCHQ and NSA Hacked Antivirus Software, Spied on Emails
In addition, the organization advises that regular password changing, imposed by many organizations at intervals of 30, 60 or 90 days, "carries no real benefits as stolen passwords are generally exploited immediately," and users are in any case likely to choose new passwords that are only minor variations of the old.

GCHQ and CESG also recommended that organizations provide their employees with appropriate facilities to store recorded passwords, and cited a recent survey which reported that UK citizens each had an average of 22 online passwords, far more than most people can easily remember.

Despite that statistic, GCHQ has concentrated its efforts on improving security in the UK's national infrastructure organizations, rather than among the general public; in June it was reported that GCHQ and the US spy agency NSA had reverse engineered security and anti-virus software in order to obtain information about vulnerabilities in security software, and intelligence about its users. 

Newsfeed
0
To participate in the discussion
log in or register
loader
Chats
Заголовок открываемого материала