Changing passwords regularly is an accepted routine that many companies require employees to follow, but the British government's communications-intelligence agency thinks it isn't a smart practice. In a recent blog posting, the Communications-Electronics Security Group (CESG), argued that forcing users to come up with new passwords will likely reduce security rather than strengthen it.
The CESG, a branch of GCHQ, Britain's equivalent of the U.S. National Security Agency, admits that this password advice sounds counter-intuitive. Shouldn't new passwords make attacks more difficult?
Not necessarily. The organization believes that users who are asked to frequently come up with new passwords will create passwords that are easier to crack, and more likely to be reused for other accounts, than long-term passwords that need to only be created once. In other words, the inconvenience put on the user to generate a new password may result in a password that is not completely unique or random.
One problem the CESG points out is that many users recycle passwords used on other services, which creates a problem if the other service suffers a data breach and that password becomes public. This would be even worse if the user's email address is the same for both accounts, or if log-in addresses follow a simple pattern based around first and last names.
While companies require that users routinely create unique, complex passwords, CESG argues that this forces users to write the new passwords down -- often on a sticky-note pasted to a computer monitor. We've seen this in a number of offices, despite the fact that it lets any passerby access the account.
If the user isn't recycling an old password or writing it down, CESG notes, users may instead make a small adjustment to their existing password, such as by adding a number or letter, to create a new one. Users may think they've made a clever adjustment that will protect them, but the CESG says the new password won't add much if attackers already know the previous password.
The CESG asks network administrators to consider "alternative, more effective system defenses," such as letting users know via a side channel (such as email) that there had been failed attempts to log into their accounts, and asking users to raise a flag if it wasn't them. This would result in a bit more work for users, but workplace studies have shown that users have better security practices if they're treated as adults who can make their own decisions.
Whether you're creating long-term or temporary passwords, it's best to have them be long (at least eight characters, though some experts say 10 or 14 should be the minimum) and include upper- and lower-case letters, digits and punctuation marks. If the password is protecting a sensitive account, such as a banking, social networking, retailing or online email account, it should NEVER be reused.
If you're having trouble remembering all the passwords -- and if you're doing this right, you should be having trouble -- consider using a password manager. However, that password manager probably can't help you log into your workplace computer.