Intelligence agency reminds businesses of the risks of password entry
British intelligence services have reminded firms that resetting their employees’ passwords frequently may make them less secure.
GCHQ’s Communications Electronics Security Group (CESG) told businesses on World Password Day (5th May) that forcing workers to change their passwords may encourage them to reuse passwords from other accounts or write them down to remember them.
It can also affect employees’ productivity if they forget their new passwords and need to ask IT staff to reset their accounts so they can continue with their work.
“Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password,” the CESG explained in a recent post. “The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.
“The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.
“Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.”
The agency said forcing password resets actually increases a firm’s vulnerability, and urged organisations instead to consider using defences like system monitoring tools that can highlight suspicious account activity.
While strong passwords are one of the best forms of defence currently available, they are often stolen in data breaches and via malicious websites or software.
This week hundreds of millions of email accounts were reported to be at risk after a hacker handed over a database of more than a billion stolen login credentials.
And even the experts can be fooled into giving up their details – as was the case when cyber security professionals passed their Twitter login credentials to a conference site.