According to a statement issued recently by the organisation, regular password expiry is a common requirement in many security policies, but its password guidance, published in 2015, advised against such changes.From the statement: “Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.” However, that’s where things get a little sticky, the organisation says. Other than hindering the user costs (the inconvenience to users for making them change their passwords constantly), the majority of password policies force users to use passwords that are hard to remember; as long and as random as possible. CESG says that for managing a handful of passwords this may be possible, but not for dozens of systems and applications. CESG then stakes its horse to the password tent pole adage that insists that to keep our information safe, we must continue to change our passwords regularly. And even if we did change passwords regularly then we’d be so overwhelmed by the passwords that we’d have to write them down, which is another vulnerability. “It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.” The advice came as a somewhat surprise when published in 2015, so much so that CESG felt compelled to explain its position almost a year later. The advice is not industry standard language; it’s the exact opposite. Despite whichever side you may find yourself – changing passwords regularly or ignoring the whole bit – this announcement strikes a deeper chord.
Read more on passwords and security:
- Top five tips for protecting customer documents
- What’s in a password? Your staff may as well broadcast credentials to the world
- PayPal venture to make you swallow your password could change perception on biometric tech
When it comes to the future of cyber security – it’s smarter than the humans.
Share this story