What to do about password security?
• Get into two-factor authentication!
• Don’t hand out administrative accounts willy-nilly!
• Watch out for default passwords!
• Be strict about outsourced security – as strict as your own!
• Salt-hash-and-stretch your customers’ passwords!
• Go complex: no nicknames, no birthdays, no quotations, no pets!
• Throw out that “forced password reset every 30 days” policy!
As you can see from the links above, “We told you so.”
In fact, the very first podcast in our popular Techknow series, recorded more than three years ago, was all about Busting Password Myths.
In the podcast, we very specifically urge you not to change passwords routinely when it isn’t necessary, on the grounds that it gets people into what fellow Naked Security writer Chester Wisniewski calls “the habit of a bad habit.”
→ Users typically settle on a simple password root and append something they change slightly each month, like a number they increment. For all you know, the last two digits of their passwords can be computed from how many months they’ve had their jobs.
So it’s fantastic to see all of those points endorsed, in a very calm and well-written document, by none other than GCHQ, Britain’s very own Signals Intelligence (SIGINT) service.
They agree with us, and we with them!
We heartily recommend GCHQ’s new document.
At 13 pages, it might sound as though it’s too long to qualify for its title Simplifying Your Approach – Password Guidance.
However, the pages are very readably laid out, aren’t dense with text, and can be consulted one-by-one as a series of tips.
Better yet, they help you understand why the tips have been structured as they have.
Password “rules” that exist for no better reason than that they existed in the past simply are exactly what we argue against in the abovementioned Techknow podcast.
Don’t go to the trouble of storing passwords as salted-and-stretched hashes because we say so.
Do it because you realise why it’s a bad idea for everyone if you don’t!
Oh, before we go, and to give credit where it’s due: the document isn’t just the work of GCHQ, but a joint effort with the UK’s Centre for the Protection of National Infrastructure [from March 2023, the NPSA, or National Protective Security Authority].
It’s great to see computer security for everyone – home users and small businesses, as much as government ministries and multinational corporations – treated as though we are all part of the nation’s IT infrastructure, because we are.
If you are still living in a world in which you think that cybercrooks “won’t be interested in little old you“, bear in mind that recent security research by Fujitsu uncovered an email “hitlist” of potential victims, maintained by Russian criminals…
…with more than a third of a billion names on it!
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Petr Chval
Well, when are you going to remove your “reset every 90 days” policy from Sophos Partner Portal?
Anna Brading
Good point. We’ll talk to our website guys. Thanks for the comment :-)
BVR
And security question/answers? Make them up!! Don’t use real answers. And put those question/answers in the notes of your password manager.