14:39 GMT +320 September 2019
Listen Live
    Windows login screen

    UK Spy Agency Urges Users to Make Easier Internet Passwords

    © Flickr/ Christiaan Colen
    Get short URL

    The UK spy agency GCHQ advises people to make their passwords less complex, contrary to its previous advice for internet users to add extra complexity in order to ward off attacks on security.

    The UK intelligence agency GCHQ has published a report on internet security advising that fewer and less complex passwords should be used in order to increase security online, instead of adding more and varied characters in a bid to raise security.

    "This proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users,"

    GCHQ writes in the document, published in conjunction with the UK Center for Protection of National Infrastructure [CESG], a government agency which advises the UK's public sector organizations.

    "Inevitably, users will devise their own coping mechanisms to cope with 'password overload.' This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies."

    In an about-face from its previous guidance that encouraged system owners to add complexity in order to make passwords 'stronger,' the agency writes that "the abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to 'stay secure.'"

    "An important way to minimize the password burden is to only implement passwords when they are really needed," states the report, which goes on to offer a series of recommendations for the management of internet safety.

    Rather than enforcing requirements for users to come up with complex character sets, it is more prudent to use technical controls such as account lockouts or throttling to defend against automated guessing attacks, says GCHQ.

    "Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience," the report cautions, and advises giving the user ten attempts to type the right password before the account is locked, which "gives a good balance between security and usability." 

    In addition, the organization advises that regular password changing, imposed by many organizations at intervals of 30, 60 or 90 days, "carries no real benefits as stolen passwords are generally exploited immediately," and users are in any case likely to choose new passwords that are only minor variations of the old.

    GCHQ and CESG also recommended that organizations provide their employees with appropriate facilities to store recorded passwords, and cited a recent survey which reported that UK citizens each had an average of 22 online passwords, far more than most people can easily remember.

    Despite that statistic, GCHQ has concentrated its efforts on improving security in the UK's national infrastructure organizations, rather than among the general public; in June it was reported that GCHQ and the US spy agency NSA had reverse engineered security and anti-virus software in order to obtain information about vulnerabilities in security software, and intelligence about its users. 


    NSA, GCHQ Excesses Stem From Their Role as Secret Guardians and Protectors
    Behind the Screens: Top Secret Docs Reveal GCHQ Use Spy-Chology Online
    SpiderSpies: US Chief Spy Compares Intelligence Community to Spider-Man
    Put Up or Shut Up: China Demands Washington Show Evidence of Cyber Spying
    passwords, spying, cyber attack, cyber security, cyber espionage, British Government Communications Headquarters (GCHQ), United Kingdom
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik