UK Intelligence Service Wants You to Stop Changing Your Passwords

It is common advice: “change your passwords often!” The practice is designed to maintain the security of your online accounts, but UK intelligence service GCHQ has, surprisingly, branded the practice counter-intuitive. To coincide with World Password Day yesterday, GCHQ’s Communications-Electronics Security Group (CESG) released a report, entitled Password Guidance: Simplifying Your Approach [PDF], which advises users against resetting their passwords.

“The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’,” Writes Ciaran Martin, Director General for Cyber Security at GCHQ, writes in the guide’s introduction. “Worse still, the rules – even if followed – don’t necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.”

“The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords,” the report says. “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.”

As an alternative to frequent password resets, and increasingly complex and difficult to remember new passwords, CESG instead recommends using tools that allow users to track their logins to detect any unauthorised access to their accounts. That advice, though, is focused more toward website administrators than users themselves.

“Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user,” according to CESG.

Image courtesy of WikiMedia.