The common perception is that a strong password is always a good password, but GCHQ thinks otherwise; urging people to use “simple passwords” to keep themselves protected from online threats.
According to the new guidelines outlined in a report prepared by GCHQ in the password guidance report, it urges that passwords should be short and less confusing which would result in making online accounts and businesses secure.
In the report titled, Password Guidance: Simplifying Your Approach, it reveals that lengthy and complex passwords are not actually securing our online accounts the way they should.
This, however, contradicts the common belief and or perception that the more challenging the password, the greater the security would be in protecting against eavesdropping or hacking. Prior to this report, GCHQ had always maintained that the more complex the password, the greater it’s length, the greater the security would be.
The logic behind setting a complex password is plain and simple. Everyone knows that complex and lengthy passwords would be tougher to crack or hazard a lucky guess at. It would also prove challenging for hackers trying to exploit the password using brute force attacking methods.
Ciaran Martin, Director General for Government and Industry Cyber Security highlighted:
“BY SIMPLIFYING YOUR ORGANISATION’S APPROACH TO PASSWORDS, YOU CAN REDUCE THE WORKLOAD ON USERS, LESSEN THE SUPPORT BURDEN ON IT DEPARTMENTS, AND COMBAT THE FALSE SENSE OF SECURITY THAT UNNECESSARILY COMPLEX PASSWORDS CAN ENCOURAGE.”
The report has been released by CESG, Communications-Electronics Security Group, which is the informational Security arm of GCHQ, and the National Technical Authority for Information Assurance within the UK.
The report is specifically targeted towards system owners who are responsible for regulating and governing password policies and has been backed by CESG and CPNI. They are encouraging the regulators to apply their current ‘simplified’ password approach at a “system level, rather than asking users to recall unnecessarily complicated passwords.”
They said at the beginning of the report that complex password are not really complex for the hackers, but memorizing various complex passwords for the online accounts has become challenging, typing lengthy passwords cause delays and has made daily life much harder for the users.
These complexities force users to opt for workarounds and alternatives like using browser’s password managers or other third-party password managers, which are more vulnerable and less secure in the long term.
The report also states that the problem with passwords begun to arise because of the surge in online registration-based services and accounts, which require the user to create a hard-to-guess and difficult password for their account. Users also tend to develop their own workarounds to handle ‘password overload,’ often reusing the same password on multiple websites or they write their passwords on a piece of paper.
“Users are generally told to remember passwords, and to not share them, re-use them, or write them down. But the typical user has dozens of passwords to remember – not just yours,” GCHQ says. “Regular password changing harms rather than improves security, so avoid placing this burden on users.”
These workarounds are making their accounts more vulnerable rather than providing enhanced security because if anyone found the paper, they would be able to steal all the passwords.
The report featured an important tip to combat such password recording techniques. It suggests that users should,
“STORE PASSWORDS IN A HASHED FORMAT, PRODUCED USING A CRYPTOGRAPHIC FUNCTION CAPABLE OF MULTIPLE ITERATIONS (SUCH AS SHA 256).”
The report also pointed out a technique known as “throttling,” in which, after a number of unsuccessful attempts, the targeted account is locked out for a certain period of time.
“ACCOUNT LOCKOUT, THROTTLING, AND PROTECTIVE MONITORING ARE POWERFUL DEFENCES AGAINST BRUTE-FORCE ATTACKS ON ENTERPRISE SYSTEMS AND ONLINE SERVICES. PASSWORD SYSTEMS CAN BE CONFIGURED SO THAT A USER ONLY HAS A LIMITED NUMBER OF ATTEMPTS TO ENTER THEIR PASSWORD BEFORE THEIR ACCOUNT IS LOCKED OUT.”
GCHQ has also revealed that their members are working closely with government departments, researchers and industries to know more about this issue. They have also planned to report more about this project on a separate CESG blog.
You can go through the infographic designed and released by the intelligence agency to make it easier for the users to understand the facts regarding passwords
Gov.UK(pdf)