Don’t change your passwords, apparently
6 min read
10 August 2016
There’s been plenty of press about the decision by CESG (Communications-Electronics Security Group, a group within the UK Government Communications Headquarters) advise against the use of long-established security guideline suggesting that users change their passwords on a regular basis.
According to a statement issued recently by the organisation, regular password expiry is a common requirement in many security policies, but its password guidance, published in 2015, advised against such changes.
From the statement: “Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.”
However, that’s where things get a little sticky, the organisation says. Other than hindering the user costs (the inconvenience to users for making them change their passwords constantly), the majority of password policies force users to use passwords that are hard to remember; as long and as random as possible.
CESG says that for managing a handful of passwords this may be possible, but not for dozens of systems and applications.
CESG then stakes its horse to the password tent pole adage that insists that to keep our information safe, we must continue to change our passwords regularly. And even if we did change passwords regularly then we’d be so overwhelmed by the passwords that we’d have to write them down, which is another vulnerability.
“It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.”
The advice came as a somewhat surprise when published in 2015, so much so that CESG felt compelled to explain its position almost a year later. The advice is not industry standard language; it’s the exact opposite. Despite whichever side you may find yourself – changing passwords regularly or ignoring the whole bit – this announcement strikes a deeper chord.
Read more on passwords and security:
- Top five tips for protecting customer documents
- What’s in a password? Your staff may as well broadcast credentials to the world
- PayPal venture to make you swallow your password could change perception on biometric tech
CESG now recommends organisations don’t force regular password expiry. Sure enough, it reduces vulnerabilities, like writing down the passwords, and some such thing and apparently does little to increase security. All of this is predicated on the fact that users must maintain more than one password for all of their systems, which the CESG has not, apparently, factored into its argument.
For example, the organision’s take on password security is noble – no more wasted time on useless password changes; I get it. But solutions such as single sign-on, all one must remember is a single password for all systems. And, this also alleviates any perceived problems the organisation says come along with trying to remember countless passwords by writing them down.
On top of this, the passwords that they create to protect their information can be uniquely different and diverse because there are far fewer needed to manage access to their data.
If organisational leaders still feel strongly about passwords being a security risk, SSO can offer additional security with two-factor authentication, but that’s another thing altogether.
SSO also has additional benefits, like reducing the amount of time it takes to log in. Maybe not a big deal in regard to security, but a benefit nonetheless. Also, the solutions can easily assist with audits by providing a detailed log of each user who has logged in and what they did on the network.
Additionally, SSO can help users easily switch from shared workstations to individual account logins, which is required by HIPPA. Instead of eliminating the shared workstations and giving clinician’s credentials to the systems and applications, SSO easily transitions them to their own single set of credentials. Many vendors also offer a “follow me” feature, but I’m getting a bit off track.
An SSO solution, along with the many features offered, can result in a drastic time savings – particularly in the case of those professionals who work on multiple stations in several departments or floors – while still offering security into the organisation and giving leaders and overview of who has access to what and when.
Implementing SSO is an easy process, and the solution integrates with almost all applications, including cloud applications, plus it beats back any argument made the CESG based on user password weariness.
Robert Doswell is MD of Tools4ever UK
When it comes to the future of cyber security – it’s smarter than the humans.