What to do about password security?
• Get into two-factor authentication!
• Don’t hand out administrative accounts willy-nilly!
• Watch out for default passwords!
• Be strict about outsourced security – as strict as your own!
• Salt-hash-and-stretch your customers’ passwords!
• Throw out that “forced password reset every 30 days” policy!
As you can see from the links above, “We told you so.”
In the podcast, we very specifically urge you not to change passwords routinely when it isn’t necessary, on the grounds that it gets people into what fellow Naked Security writer Chester Wisniewski calls “the habit of a bad habit.”
→ Users typically settle on a simple password root and append something they change slightly each month, like a number they increment. For all you know, the last two digits of their passwords can be computed from how many months they’ve had their jobs.
They agree with us, and we with them!
We heartily recommend GCHQ’s new document.
At 13 pages, it might sound as though it’s too long to qualify for its title Simplifying Your Approach – Password Guidance.
However, the pages are very readably laid out, aren’t dense with text, and can be consulted one-by-one as a series of tips.
Better yet, they help you understand why the tips have been structured as they have.
Password “rules” that exist for no better reason than that they existed in the past simply are exactly what we argue against in the abovementioned Techknow podcast.
Don’t go to the trouble of storing passwords as salted-and-stretched hashes because we say so.
Do it because you realise why it’s a bad idea for everyone if you don’t!
Oh, before we go, and to give credit where it’s due: the document isn’t just the work of GCHQ, but a joint effort with the UK’s Centre for the Protection of National Infrastructure [from March 2023, the NPSA, or National Protective Security Authority].
It’s great to see computer security for everyone – home users and small businesses, as much as government ministries and multinational corporations – treated as though we are all part of the nation’s IT infrastructure, because we are.
If you are still living in a world in which you think that cybercrooks “won’t be interested in little old you“, bear in mind that recent security research by Fujitsu uncovered an email “hitlist” of potential victims, maintained by Russian criminals…
…with more than a third of a billion names on it!
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.