IT industry changing approach to passwords: UK government advise you to not change your passwords regularly
The UK governments produced guidance in 2015 explaining their recommendation that passwords should not be changed regularly. Communications-Electronics Security Group (CESG), a group within the UK Government Communications Headquarters (GCHQ) released this guidance to the general public. This for a lot of IT professionals may seem to go against IT best practices, however it does highlight some fundamental rethinking which may be required within the IT industry on what is considered by most as a basic rule of thumb.
Why passwords shouldn’t be changed regularly?
CESG explain that focus should be on the strength of passwords rather than regularly changing them. They stipulate that regular changes impact negatively on the user’s ability and wiliness to create strong password, as they may feel they are likely to forget them.
There is also a link that has been drawn between password similarities from a user’s old password to a new one which hackers can exploit. The reasoning being that should you force the users to regularly change their passwords they will be more compelled to create a password similar to their old one if they believe that it will help them remember it. This is seen as helpful to hackers as if they are in possession of any previous password down the line, as long as it is in some way similar to the current password it will give them a good idea of guessing what that particular password may be.
In addition it is also believed that passwords which are changed more often increase the likelihood that users will write them down. Once written down should anyone else other than the user see the password then the security associated with accessing that account is exposed.
There is also the decreases in productivity for an organisation as regularly changed password are considered to be more often forgotten by users. This represents time lost for the user who is locked out of their account and for IT Administration staff who have to assist with resetting the user’s password.
While computers deal in 0’s and 1’s or yes’s and no’s, when introducing human factors into IT it is often balance which is required. This is the case for password as although there may be negative concerning regularly changing your passwords there also positives. As if you leave your password the same over time your risk of exposure is higher.
To illustrate this point imaging that a person writes down a password on paper, which of course you should never do but commonly happens in the work place. Then they miss place the paper it is written on and it isn’t found for a year. If there is a regular password change policy in place and the new passwords is not similar to the previous passwords then the users account should be safe. If however it is not changed, then no matter how strong the password the account is exposed.
Perhaps even imagine that a malicious person is not in possession of a hard copy of the password, but they have a relatively unlimited timeframe to enter passwords, it is entirely conceivable that given enough time the password may be worked out.
1. Given the information in this article it is still recommended that passwords are changed at intervals, but consider extending the time frame and don’t just accept that the more frequently a password is change the higher your level of security as this is often not the case.
2. Apply more focus for users to improve password complexity and length.
3. Educate users into not creating password similar to previous password. For example the selection of an “Animal” + “number sequence” every time a new password is created may not be the best choice to enforce IT security.
4. Use none alphanumeric symbols where possible.
5. Avoid dictionary words.
6. Use a combination of upper and lower case letters.