back to article Stop resetting your passwords, says UK govt's spy network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. "In 2015, we explicitly advised against [the practice]," a post by GCHQ's Communications-Electronics Security Group (CESG) notes. "This article explains why we made this unexpected …

  1. Paul Crawford Silver badge

    There is some sense here, you want users to have long passwords to make them difficult to guess, but easy to remember. So saying "at least 16 characters, like a few words perhaps" and not requiring stupid ratios of punctuation, numbers, and case, is likely to get them using something different to other services, and to remember it instead of putting it on a post-it note.

    Also, of course, having a bozo filter to stop "Correct Horse Battery Staple", or even "password" or "12345" and similar being used N times to fit the minimum limit...

    1. swschrad

      the real issue is GCHQ is too busy to keep guessing your new ones

      so keep using strings of cuss words, and shift-right one letter every 30 days.

      1. werdsmith Silver badge

        Re: the real issue is GCHQ is too busy to keep guessing your new ones

        I know that most people in this network where passwords last 6 weeks, just append a number onto the same word and increment it when the change is forced.

        I'm up to 38.

        1. Anonymous Coward
          Anonymous Coward

          Re: the real issue is GCHQ is too busy to keep guessing your new ones

          I'm currently approaching 100 for some. I've just had the 90 expiry reminder at work. I have 12 systems to change, even the companies own products and internal systems have different logins and password rules, so the base word + increment is one way of staying sane and not getting locked out.

          Yesterday I had to sign in to the ADATA website to get access to the cloning software for one of their SSD drives. They thoughtfully confirmed my account with an email containing the plain text password I had just created. There really is no point regularly changing the locks on the doors if there's a big window open right next them.

        2. Yag
          Trollface

          Re: the real issue is GCHQ is too busy to keep guessing your new ones

          10 here, I sometime reset the counter to fool an eventual intruder.

          (hard to choose between "trollface" and "joke" icons)

      2. Ellis Birt 1

        Re: the real issue is GCHQ is too busy to keep guessing your new ones

        While CESG are located in the GCHQ complex in Cheltenham, their role is to advise the rest of Government on information systems security.

        So this advice was issued to government departments and published for the convenience of the wider audience.

        They are not the first to make this suggestion and they will not be the last. Passwords are an imperfect security mechanism for protecting against all but a casual miscreant.

        It is better to physically secure your offices (and that Cat 5 between buildings) and use more secure access controls like two-factor authentication when remote access is necessary.

    2. WatAWorld

      No words in any language

      It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.

      To be effective against modern cracking software, passwords must not contain within them words in any language.

      So we should be asking users to remember truly random strings of over 12 characters.

      1. CaptainHook

        Re: No words in any language

        It is even worse than that. Remember that to modern password cracking software a lengthy word has the complexity of a single character -- entire words are tried the way old cracking software tried characters.

        *****

        There are what, around 70 different symbols which are routinely allowed in password (upper/lowercase characters, digits, a few other ASCII characters). Even if you allow the full printable ASCII character set you only have 95 symbols which can be chosen from.

        But if you use truly random words from say the Oxford English dictionary, that allows for ~171,000 different symbols.

        A string of 8 random words, even without special characters injected in random places is multiple orders of magnitude greater than an 8 character ASCII password to brute force and much easier for a human to type in because all the characters are easy to find on a keyboard.

        The problem with words as passwords is that they are usually not chosen at random.

      2. IdeaForecasting

        Re: No words in any language

        Nonsense. with a password 'hello hot world trees' where would your 'position' the word 'hot' to crack this password? and what would you use to fill the gap between the other words in the password?

        The reality of this kind of crack would require ALL the words AND spaces to be in the correct order to work?

        1. Black Betty

          Re: No words in any language

          As a general rule no white-space allowed.

        2. Anonymous Coward
          Anonymous Coward

          Re: No words in any language

          I've used welsh language passwords for ages and never had a lick of trouble - on the odd occasion when I've had to document them for admin purposes the usual comments is, WTF!

      3. Anonymous Coward
        Anonymous Coward

        Re: No words in any language

        That's not exactly true. For a single character, the guesser has a probability distribution over roughly 100 symbols. There are many more words in the English language, so the probability distribution is over a much larger set. It's certainly smaller that the set of permutations of all characters that make up the word, but it's bigger than a single character, by a lot. The human brain is better at remembering words than single characters, so why not leverage that? It's only a problem if you limit the length of passwords to a small number of characters (which some systems stupidly do) or you use a password quality check that only takes into account simple things like number and type of characters typed.

        I think the point they're making here is that there are so many out-of-band ways of circumventing passwords now (due to the difficulty in remembering them), that fewer hackers are going to bother with brute-forcing hashes from a table dump, when they can just request your credit history and marketing report and use those to answer your "security questions".

        Also, Bruce Schneier pointed out that if a hacker gains access to an account, they'll use it immediately for bad things, so the 90 day window doesn't help limit the damage, either.

      4. keithpeter Silver badge
        Coat

        Re: No words in any language

        Schneier's method still OK?

        https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

        Or how about a sentence used in a Playfair cypher grid for *really* important systems that are actually at risk of attack (i.e. I suppose accessed over the public Internet)? I could remember an appropriate sentence and then re-encypher it to generate the password before typing in my credentials - takes a minute. Burn the scrap paper afterwards :-)

        https://en.wikipedia.org/wiki/Playfair_cipher

        Coat: mine's the one with the tape recorder in the pocket and the lapel camera.

      5. Amos1

        Re: No words in any language

        How long have you worked at GCHQ? Isn't the real reason for this "advice" because it makes your job too hard when the old password no longer work?

      6. FlippingGerman

        Re: No words in any language

        I use a simple script I wrote myself, that simply generates random passphrases. Five (cryptographically secure, which is probably unnecessary) random words from a list of 40,000.

        That beats your 12 characters in complexity any day, and is far easier to remember. Something like 76 bits of entropy. Note that I do have some idea how password guessing works, having done it quite a bit for fun fairly recently.

        >>> 26**12

        95428956661682176

        >>> 40000**5

        102400000000000000000000

    3. Sixtysix
      Black Helicopters

      It's a trap...

      The ONLY reason they don't want passwords changed regularly is so their database od cracked passwords doesn't have to be re-cracked every 30/40/... days.

      Whilst I don't think CESG will be interested in ANYTHING I use/type/mail at my work (and have a far simpler way of accessing), I'd be *very* surprised if my personal addresses/accounts have not crossed their automated tracking: as Snowdon clarified they do try to watch *everything* on the interwebs after all!

      The boredom of the content thereof is irrelevant: because my "stuff" is visible, they can hone in on drug dealers, terrorists and enemies of the state: we all know how "much" they use encryption and strong passwords eh? Right. Also, and more worryingly, they'll be able to home in on the genuine freedom fighters, oppressed peoples, press leakers, journalists and other folks validly trying to prevent their life/rights/privicy from being trampled.

      I strongly believe we who know how owe it to everyone to work against "Big Brother". ENSURE that passwords are changed often enough to ensure they have to work for their intelligence, and can't snoop at will due to lazy password security. ENSURE that we implement adequate security on our own machines and gateways, and where possible onto those machines that we can influence.

      And for those tempted to use pen a paper: DON'T. Get/make yourself a good password "system" (or a good app) and stick to it while changing important passwords regularly.

  2. hellwig

    Too Many bad Movies

    I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".

    They seem to think that the longer a password is in use, the easier it is to guess. For brute-force methods, there are other ways to prevent that (login delays, maximum attempts, etc...).

    Personally, when I'm forced to periodically change my passwords, I put in a single character or digit I can rotate. Doesn't make my password more or less secure, it just means every few weeks I log in and forget I had to change that one character. The only added "security" of this system would be password getting out of synch (e.g. one site using 'password1' when a different site forced me to move to 'password2').

    Most password issues probably arise from fishing attempts or hacking databases storing unhashed passwords. Shouldn't we be more concerned with user education, password strength, and system security than rotating passwords?

    1. VinceH

      Re: Too Many bad Movies

      'I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies. You know, the kind where a password is revealed character by character. "I only need 20 more seconds, we're almost there".'

      Yeah - in the world of Hollywood, the function that is called to test a password that has been input is actually the guess checking function from the game of Mastermind.

    2. Tomato42

      Re: Too Many bad Movies

      passwords are more likely to be guessed the more they are used; but it is offset very easily by making it longer

      the original advice of the 30-day lifetime of a password assumed a fairly simple password (essentially a single word selected uniformly at random from greatly reduced English dictionary), double the password (use two words) and the 30 days suddenly become 80 years at the same level of security

      oh, and another thing often forgot: the original advice included mandatory rate limiting on incorrect logon attempts

    3. jonathanb Silver badge

      Re: Too Many bad Movies

      I use [password_string]may16. Next month it will be [password_string]jun16.

    4. veti Silver badge

      Re: Too Many bad Movies

      I'm required to change a password every month, for a service that only allows limited length passwords (10 characters, I think, is the maximum), and has other (undocumented, naturally) limitations about what characters you can use.

      When they first issue a new user with their first password, it's by default set to "day+date", e.g. "Friday06".

      No prizes for guessing how I choose my new password each month. And I'm prepared to bet, 90% of users of this particular service do the same thing.

      Security? Don't make me laugh.

      1. WatAWorld

        Re: Too Many bad Movies

        It used to be 8 characters was the limit.

        A previous poster suggested words from a greatly reduced dictionary.

        I don't recall words being advocated in the IBM and Univac worlds I worked in back then.

        Even back in the 1970s a mix of numbers and letters was encouraged. But there was that 8 character limit and the 30 day duration, supposedly based on the duration that would make it too likely someone would be able to brute force the password by typing.

    5. werdsmith Silver badge

      Re: Too Many bad Movies

      "I think the constant need to cycle new passwords (sometimes every few weeks) is because too many CSOs/CIOs/CTOs watch bad hollywood movies.

      Or because Password Policy is built into the software, whether that be Active Directory, LDAP, Oracle or SQL Server or whatever, password expiration is often a checkbox on the account details.

      If it's there then the security audit people expect it to be used. I've had some discussions with the security people about non-expiring passwords because they don't understand that a non-user account (like one that is used for a Window Service) should not be on the auto-expiring password policy.

    6. Sproggit

      Re: Too Many bad Movies

      With specific reference to your comments regarding defense against brute force attacks... Maximum attempt limits are a great way to allow an attacker to perform a denial of service attack against the your legitimate users. And to those who are reading this and thinking that they would simply include an ever-increasing retry delay to thwart automation of this attack: remember that likely 90% of existing authentication platforms out there simply don't have that functionality... So good luck with adopting that as protection for ooh, say, your platform administration accounts...

  3. blcollier

    Best password advice I ever had?

    Generate one extremely secure (and, preferably, long) passphrase and use that as your "master". Then use a password manager to generate and store random passwords for everything that you don't consider to be a high risk (someone posting crap on my facebook account is different to someone siphoning money from my bank account) and encrypt this database using your master passphrase. For anything high-risk use your master passphrase. And use two-factor authentication where possible.

    I used DiceWare to generate a 7-word master passphrase. Ought to be good enough for a few years yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Best password advice I ever had?

      I use an oldish tree-style app called Keynote NF...one file, portable app and it's encrypted if you tell it to be. Keep the link and other account bits together; and only using your internal links proofs you against phishing too.

      Looking for a Linux replacement if anyone has any ideas. Encrypted, definitely; tree-style with tabs would be favourite.

      1. BenDwire Silver badge
        Boffin

        Re: Best password advice I ever had?

        Have you looked at NoteCase Pro? I've been using it since I ran Linux on my Zaurus (!) and now use it with Debian, Windows & Android. Encrypted, portable & cross platform. OK, so it costs a few beers, but it's under constant development. Worth it, in my view.

        1. Anonymous Coward
          Anonymous Coward

          Re: Best password advice I ever had?

          That's exactly the sort of thing; but 67 euros is a bit more than I envisioned paying. Will definitely keep it in mind as a fallback option though. Thanks.

        2. Anonymous Coward
          Anonymous Coward

          Re: Best password advice I ever had?

          @BenDwire - I've been sniffing round NoteCase Pro all day...I really like the look of it; but 67 euros is a bit traumatic in my view. Got no use for OSX and I wouldn't really use it on Android (I don't log into anything with Android). So, I was reading through the docs in my best "You'll no be having a sale then?" mode and I noticed 2 things....firstly it comes with it's own built-in synch server. Secondly -something I should have noticed right away- there's a Raspberry Pi version! I think I'm sold.

          All that remains, I suppose *glum* is to cross the lava moat, swing across the scorpion pit; dodge the rolling boulders and crowbar my wallet open while dodging the poisoned arrows.

      2. Palpy

        Re: Best password advice I ever had?

        KeePassX for Linux? Used it for quite awhile. The db(s) are external to the application, though, so it's not a single file. Cross-platform and free.

        1. Anonymous Coward
          Anonymous Coward

          Re: Best password advice I ever had?

          Dedicated password managers make me a bit nervous for some reason. There been issues with a few of them; and they all have more system integration than I'm really comfortable with. I'm probably almost alone in this; but convenience is not that high a priority for me. I'm more interested in ease of recovery and encryption in case my work machine gets nicked.

          Plus, after working that way for quite a while now I've really come to like the tree view way of doing things...I have a per-client tab with a tree of notes underneath that; with each note containing whatever I need to know about that service....means I can find anything in real-time while talking on the phone and have everything I need to know in front of my eyes before I've finished the sentence, just about. Then, I copy the password, click the link and remember the username and I'm logged into the relevant bit by the end of the next sentence. Makes you look efficient (no mean feat in my case).

          Keynote NF also has alarms you can set for a particular date; which comes in handy from time to time.

          1. werdsmith Silver badge

            Re: Best password advice I ever had?

            I use a formula, a secret and complex formula but I only have to remember the formula.

            The formula uses cues from the context of the login to construct a password, so it is always unique to that whatever service I'm logging into. If I forget the password, then I can just reconstruct it from the formula.

            1. Sixtysix

              Re: Best password advice I ever had?

              "I use a formula, a secret and complex formula but I only have to remember the formula."

              "The formula uses cues from the context of the login to construct a password, so ...I can just reconstruct it..."

              Sounds like me for most web logins: the only issue I have relates to the fact that some sites have nasty rules (no repeating characters) don't allow some symbols (*) or insist on lengths that do work (7<pasword>12), so I have alternates - sometimes takes three passes to work out what variant I'm coping with!

              For banking and email I stick to more secure hashes from KeyPass.

            2. Jelder

              Re: Best password advice I ever had?

              I tried that for a little while, but in too many cases ran across problems with my chosen system:

              Systems with min/max/character requirements that blocked the 'generated' password

              Systems that required changing regularly (no way to change without using a different formula)

              Once, a change in the URL

              I gave up and now use a random string generator and a secure way of saving them, but it's no use when I'm not on my main PC.

              1. Anonymous Coward
                Anonymous Coward

                Re: Best password advice I ever had?

                @AC - That one's simultaneously too complicated and too simple for me as I have lots of other people's passwords to cope with too. Also my memory is more visual (ie, stuffed) than that. Anything that involves me remembering what to search for is not going to last.

                And using the tree/note system you can keep all sorts of other stuff in there too...the login link; both for speed and as a phishing protection. Email address/pseudonym; complete false identity for obnoxiously intrusive sites that I need for some reason; and for client stuff a list of things I need to fix/amend/whatever.

          2. Anonymous Coward
            Anonymous Coward

            Re: Best password advice I ever had?

            > the tree view way of doing things

            Maybe http://www.passwordstore.org/ would work for you (although it's a CLI tool so no tabs). The tree of passwords is just a directory tree, one file per password, where each file is GPG-encrypted.

            Example use:

            pass -c shop/amazon

            prompts me for my GPG passphrase, decrypts the password in the first line of that file, and puts it on the clipboard for 45 seconds before removing it again.

            Subsequent lines of that file can be used to store anything you like in free text (e.g. username, account number, password recovery secrets etc)

            You can synchronize it using whatever filesystem sync tool you like (dropbox, syncthing etc) or as a git repo.

    2. harmjschoonhoven

      Re: Best password advice I ever had?

      I will never discuss passwords - full stop.

  4. John Smith 19 Gold badge
    Gimp

    So if you trust the security services with your passwords – and who out there doesn't?

    As Edward Snowden has demonstrated the answer is of course in the UK the answer is no one

    1. ZippedyDooDah

      Re: So if you trust the security services with your passwords – and who out there doesn't?

      trustnoone

  5. Anonymous Coward
    Anonymous Coward

    "my name.......it's J R Hartley!

    It would be a big help to us if GCHQ could tell us some of their passwords so that we can compare them to our own and change them if need be.

  6. RFC822

    Pointless

    The main reason for changing passwords periodically is to reduce the window of opportunity during which a compromised password can be exploited.

    Of course, most compromised passwords will be used immediately after they have been compromised, so changing passwords every 30/60/90 days is pretty pointless. However, the user has to remember yet another password - and is quite likely to choose a less secure one in the haste to satisfy the password-reset requirement.

    Good to see some sensible advice being provided.

    1. Eddy Ito

      Re: Pointless

      I'd also wager that most users who are forced to change their password regularly don't change it by much to make remembering that much easier. Chances are that if their current password is Password_3 the next one will be Password_4.

    2. Paul Crawford Silver badge

      Re: Pointless

      Exactly, so once per year would leave on average 6 months to do your business over! Pointless...

      However, changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.

      1. dajames

        Re: Pointless

        ... changing shared passwords after someone leaves (say any shared admin accounts on certain boxes that don't support more than one admin user), or following a potential compromise, make a lot of sense.

        Shared passwords are a problem best avoided by not sharing passwords. Every user should have a unique ID and their own password, and shared permissions should be managed at the group level.

  7. Anonymous Coward
    Anonymous Coward

    If someone has compromised your computer and stolen your password. Changing your password is just going to give them an opportunity to also steal your new password.

    1. Anonymous Coward
      Anonymous Coward

      Just so. I have owned people that way, in my yoof.

  8. Aodhhan

    Good effing greif.

    A password policy which requires upper and lower case and 15+ characters long is all you need.

    Anyone can be taught how to put together a passphrase they can easily remember. Make it silly, make it gross, make it rhyme, etc. Put together words from your life, hobby, little league memories.

    iPlayedShortstop4years

    BiebsDrivesFastCars

    TomCruiseCouchJumper

    MyNeighborHatesDogs

    MyDaughterThinksShesGod

    YellowCarsAreSoUgly

    MyBossHazaLittleWinkie

    PriusDriversScareMe

    Have to change it in 60 days? Put a twist on it, add numbers or characters. Reverse Caps, etc.

    !!TomCruiseCouchJumper@@

    Really Brits... even you can learn this. Hey, another easy to remember pass phrase.

    1. Seajay#

      Re: Good effing greif.

      The fewer password rules, the better. In your examples the requirement for mixed case only adds 1 bit of entropy but it adds hassle, so drop it.

      1. Tom -1
        FAIL

        @ Seajay# Re: Good effing greif.

        The only way that requiring mixed case can add only one bit of entropy is that the maximum password length is 2 characters. So I guess I wouldn't allow you to have any influence at all on any of my security policy.

        1. Seajay#

          Re: @ Seajay# Good effing greif.

          @Tom

          That would be true if people were creating completely random strings. If, as is suggested, they use a sentence and either capitalise or not the first letter of each word, that's only 1 bit. In fact if you force mixed case on them then they will always capitalise the first letters so your rule has actually reduced the password space.

    2. Rich 11 Silver badge

      Re: Good effing greif.

      Really Brits... even you can learn this.

      You're about 20 years too late, septic knob end.

    3. Adelio

      Re: Good effing greif.

      Fine when you only have one password to remember. but for the rest of the work where we have many company passwords and who only knows how many personal on-line account passwords.

      le me think

      Twitter, facebook, Google, yahoo, microsoft cloud, ebay, amazon, paypal, netflix, plus all you on-line bank accounts (I must have at least 10) etc, etc...

      A really big hassle to remember the passwords (and other security questions) all with different rules and expiry periods.

  9. zanshin

    My work organization forces us to change passwords every 90 days. It also enforces rules that make tend to make the passwords we use hard to remember, forcing limits on character reuse, sequences, and requirements for special characters. It also won't let us reuse any of our past *ten* passwords, and it can tell if you are just making small adjustments. Password_1 going to Password_2 won't fly.

    I sort of see the point. It is, after all, the password associated with our core corporate identity. We use it to sign in to just about everything, often including systems where we have privileged access. So nicking the password of the right people would be very powerful. Still, even half of 90 days is a long time to have someone's password, and most of the ways of getting it (malware installed via phishing) would probably be able to get the new one even if it was reset.

    We can't install our own software on our PCs (for good reason) and there's no company package for a password manager. (There ought to be, IMO.)

    I ended up finding a password pattern that I could memorize (through mnemonics) that met the password requirements. I also figured out how to mutate it very slightly each time I have to update it in a way which passes the history limits and is easy for me to keep track of.

    I honestly have no idea what most people at my company do to manage their passwords. I'd bet money an awful lot of them write them down. Some I know are probably smart enough to use good password managers on their personal phones.

    1. DavCrav

      "and it can tell if you are just making small adjustments. Password_1 going to Password_2 won't fly"

      Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

      1. Joe 35

        "Doesn't this mean that they are storing previous passwords in plaintext?"

        In a word, no.

        You enter "Password_4".

        System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist.

        1. DavCrav

          "In a word, no.

          You enter "Password_4".

          System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

          Good point, I didn't think about that. OK, ignore my statement.

        2. Bill Gray

          @Joe 35 :

          "...You enter "Password_4".

          System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

          A nice solution. Though I admit, I'd probably just switch to PasswordJan, PasswordFeb, etc.

          1. werdsmith Silver badge

            @Joe 35 :

            "...You enter "Password_4".

            System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist."

            A nice solution. Though I admit, I'd probably just switch to PasswordJan, PasswordFeb, etc.

            It's not a good solution though is it? It reveals that the password hashes aren't salted which is crap, and if they were then this wouldn't work.

            1. Anonymous Coward
              Anonymous Coward

              > It's not a good solution though is it? It reveals that the password hashes aren't salted which is crap, and if they were then this wouldn't work.

              Looks like somebody doesn't know how password salts work.

              The password salt is itself stored in the password file - in plain text. If it weren't, it would be impossible to verify a password by comparing

              hash(salt + presented password) = stored_hash = hash(salt + original password)

              1. dajames

                The password salt is itself stored in the password file - in plain text. If it weren't, it would be impossible to verify a password by comparing

                Exactly so.

                The purpose of a salt is to ensure that if two different users coincidentally choose the same password they don't generate the same hash. There is no requirement that the salt be secret, just that it be different for each user. That prevents rainbow table attacks, among others.

        3. nijam Silver badge

          > System sees last digit is a number, replaces that number with n-1, generates hash result...

          Surely they just store the last 10 hashes?

        4. dajames

          You enter "Password_4".

          System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example)

          I seriously doubt that anyone would bother to code a check for such a specific incremental password change. The user could just as easily change Password_3 to pAssword_3 or Passwor_d3 or Password*3 or Qassword_3 or ...

          No. If you're going to compare a putative new password against a list of old ones you need some way to recover those old passwords in clear. That doesn't mean that they have to be stored in clear, though.

        5. Anonymous Coward
          Anonymous Coward

          Does it cope with n+1 , going from password100 to password99, or password90 to 92, or adding a char at the end? Users always seem to find a way around these things.

        6. Andy france Silver badge

          That would work but mostly they are not that sophisticated and simply compare the new password with that current one that you have to enter as part of the password change function.

      2. Anonymous Coward
        Anonymous Coward

        > Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

        Not *necessarily*. For example: when you set your original password, they could also hash 1000 different forbidden variations of that password and store those 1000 hashes.

        Bet you they don't though :-)

        But more importantly, some common authentication systems *require* the plaintext password to be stored server-side anyway: Kerberos (and hence Active Directory) is the main example. It's fundamental to how it works.

        Sure, it's an obvious point of attack, but every system has points of attack - as long as you know where those points of attack are you can take the appropriate precautions. And if your authentication server is compromised, you are toast anyway.

      3. Roo

        "Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no."

        They don't have to store them in plain text, salted hashes will do.

      4. dajames

        Doesn't this mean that they are storing previous passwords in plaintext? Surely a massive no-no.

        Not really. It means that the system has to store the previous passwords -- not necessarily in plain text -- but not the current password. If the system is successful in ensuring that the passwords are appreciably different then having access to the password history won't significantly compromise the current password.

        The password history can be salted and stored using a key accessible only to the system -- or using (say) a hash of the current password -- so it needn't be easily attackable in any case.

    2. gv

      Unless you have an elephantine memory, the "ten" passwords rule kind of forces you to write down the previous passwords just to cut down the time required when typing in the new password.

    3. Omgwtfbbqtime
      Happy

      @zanshin

      My employer has a similar 90 day policy.

      I find it easiest to keep the first half of the password constant and the second half the name something current to me.

      I ran through work/rest/play as the 2nd half over most of 1 year, closed out the year with mars....

      I've found I can revert to the start of the password list every time I get a new laptop though so it must be local hashstore rather than at network level.

      1. Doctor Syntax Silver badge

        Re: @zanshin

        "I ran through work/rest/play as the 2nd half over most of 1 year, closed out the year with mars...."

        Deep and fried for the start of the next year?

        1. Omgwtfbbqtime
          Happy

          Re: "Deep and fried for the start of the next year?"

          Nah, I had moved into a Suzanne Vega phase by that point -

          Blood

          Makes

          Noise

    4. yoganmahew

      Sixty day rule for me.

      Apart from the system that is 30 days.

      And the other one that is 89 and it's sister sytem that is 90.

      I counted it up - 18 different passwords. Some of which are never changed. I used to try and change them all when the 30 day one was up to keep them in synch, but the rules are different and some can only be changed once a day (so if you get to system 7 and find your carefully chosen password is not permitted, system 6 can't be changed until tomorrow). Then they made them different lengths anyway.

      Oh and they're all only accessible within a VPN...

      PS there's no such thing as a secure password manager on a smartphone...

    5. Martin Gregorie

      We use it to sign in to just about everything, often including systems where we have privileged access.

      If your employer's passwords are regarded as so corplife-threatening as to need such an elaborate vetting process, why not ditch them altogether and switch to a 2FA system? Much more secure.

      Its not as if the 2FA tokens are all that expensive (if they were, the banks wouldn't hand them out like candy) or even that new: the GMP were using 2FA logins back in the late '80s, so if plod can handle 2FA then any PHB should be able to get his head round it too.

      1. Doctor Syntax Silver badge

        "if they were, the banks wouldn't hand them out like candy"

        And about as effective in the case of the one I was given.

    6. Anonymous Coward
      Anonymous Coward

      45 days...

      ...and a ridiculously complicated set of rules for new passwords at one of my recent clients' organisation.

      But: As long as you know anybody's username (surname and initials will do), you can just call helpdesk and ask them to reset your password. They will gladly tell you the new one over the phone right away.

    7. Anonymous Coward
      Anonymous Coward

      Similar with the company I work for.

      What I have done is just add a number on the end of the password. The clever bit is that I do it in words. So eg. PasswordOne, PasswordTwo. The sneaky bit is that I do the numbers in a foreign language!

      1. Anonymous Coward
        Anonymous Coward

        There's also the old keyboard finger shift where Password_2 becomes {sddeptf+3. It's a simple matter of wrapping around when you get to one side of the keyboard or an illegal character.

  10. pmartin66

    12345

    That's the combination for my luggage!

  11. David M
    Thumb Up

    Bruce Schneier

    The security guru Bruce Schneier agrees that password changing is generally a bad idea.

    As does Microsoft.

    1. GeoGreg

      Re: Bruce Schneier

      I think it was about 20 years ago that I first read the advice to pick a good password and stick with it, probably from Schneier. I think the length of a "good password" has probably increased since then, but I believe the principle is the same. Pick something you can remember that is hard for others to guess, whether by brute force or by picking at your life details. For passwords I control, I use a strong multiword passphrase from a generator if I want to be able to remember it at the keyboard, and randomly-generated strings in a cross-platform password manager for credentials I just want to be able to copy/paste. I turn on 2FA if it's available. I don't store passwords that I don't control in my manager, as I don't want that responsibility in the event my manager is somehow compromised. I read many analyses before picking a password manager program that had the features I want. I think I've achieved a balance of security and convenience that works for me.

      (Note: I specifically am not commenting on which safe I use, since this is about security principles, not particular software implementations. Schneier wrote his own manager, and there are many others.)

      1. Adrian 4

        Re: Bruce Schneier

        So what do you use for passwords that you'll have to type into a phone (perhaps via a terminal app) ? Long, mixed-case passwords are especially difficult to type.

        1. nijam Silver badge

          Re: Bruce Schneier

          > Long, mixed-case passwords are especially difficult to type.

          They also slow you down. It's worth choosing a password where the "difficult" (e.g. shift+letter) stuff is a single character at the start of the password. (There are plenty of unshifted symbols available for the rest of the password, after all.) Then you can type the rest of the password (relatively) quickly/easily.

        2. Martin

          Re: Bruce Schneier

          Me, I never type any password into a phone for anything important.

          But I use a password safe and good old copy'n'paste if I do need to type a password on my phone.

          So despite the Reg's sarcasm, I actually think that the advice is sensible. I use 12-char randomly generated passwords and a password safe.

  12. I ain't Spartacus Gold badge

    I'm quite good at remembering passwords, so this may not work for other people. But I pick themes. I have a simple password for sites like El Reg, where I don't particularly care if I get hacked. Although perhaps the pain of 1,000 downvotes when my hacker fills the site with campaign ads for Donald Trump will change my mind?

    But when I was being forced to reset them for work regularly, I could pick the Persian Wars of the 5th Century BC. You've then got Platea, Thermopylae, Xerxes, Marathon to play with. Nice unusual letters, but obviously vulnerable to dictionary attacks. But I can remember the capitalisations and breaks introduced into the words to split them up once I've remember the word - and there's only a limited number of words to pick from. So I can remember what I've done, and it's easy to find a new password at short notice. Then pick a new historical event, or theme (say types of sportscar) - once you've mined the previous one.

    I could use a password manager, but I don't trust them. They seem like a dangerous single point of failure to me. Two factor authentication on the bank and hope for the best.

    1. Lee D Silver badge

      I use different levels of password for different things.

      The Reg:

      Do they have my credit card? No.

      Can someone take my account and wreak havoc with it? No.

      Do I need trust The Reg to adequately secure their passwords with hashes, etc.? Yes.

      So a level 2 password it is. Quite simple, not guessable, not especially onerous, and shared with other Level 2 sites.

      When it comes to online banking, not a chance that's it a guessable password even if you knew my life in intimate detail (randomly generated string of characters from my own script, run a hundred times, one password chosen at random, memorised and then the list destroyed), shared only with sites that present exactly the same kind of hazard (e.g. PayPal with the same banking information plugged into it).

      When it comes to rubbish untrusted forums that I had to sign up for to download a bit of freeware or whatever? Junk that even if compromised would only get you into junk of the same level anyway.

      Once you have that set of passwords, it's then not hard to fathom - first time - what password you would have used based on the service you're trying to log into. And, worst case, a handful of guesses of the LOWER LEVELS (wouldn't try the banking passwords on what is just a forum, for instance, just in case it was being recorded) would get you there. And nothing of interest is shared with stuff likely to see compromise. And compromise on one gets you no more power on anything else with that same password.

      Don't trust password manager software at all (even if I could write it myself, a person trying to implement their own encryption even using popular libraries is like someone trying to represent themselves in court - they have a fool for a client).

      And two-factor anywhere that I can see the use of it (e.g. banking, a very expensive Steam account, Google services, etc.).

      1. This post has been deleted by its author

        1. I ain't Spartacus Gold badge

          Generating random passwords is easy. All you need is some combination that's not in the dictionary and is quite long. If someone's got a rainbow table for all passwords up to 20 characters long, then you're stuffed whatever you do - and however well generated it is. Otherwise it doesn't really matter, within reason.

          Personally I'm unlikely to remember total randomness (or even an approximation of it). But a short, non-grammatical phrase with random capitalisation, the odd special character and words spelt wrong, mis-ordered and interrupted should be good enough.

          1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      It would be nice if we had a dedicated password manager device with little to no communication abilities (NFC at best). One of the most risky aspect about password managers is that you run the software on your potentially compromised computer. But a dedicated device that is practically off the grid with immutable operating system and encrypted password database along with its own user interface seems like it would be more secure.

  13. Mutton Jeff

    P@ssword1

    Next month P@ssword2

  14. Anonymous Coward
    Big Brother

    Schizoid tendencies at The Register?

    It's a shame El Reg didn't apply this level of cynicism to yesterdays "Lets all go back to playing 'pretend NIST isn't an NSA front' again" "article" where it might have actually been warranted. Trying to make up for it today Reg?

    http://www.theregister.co.uk/2016/05/04/nist_readies_postquantum_crypto_competition/

    Need a schizoid tendencies icon -->

    Poor old Snowden. "Burnt his life to the ground" for absolutely sweet FA.

  15. Mike Moyle

    Requisite "The Princess Bride" reference:

    "It is inconceivable that..."

    "I do not think that word means what you think it means."

  16. Deltics

    "The idea behind automatically and regularly resetting your password is pretty obvious: it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers."

    Yes, that's the *idea*. It's also completely idiotic.

    The "achieved goals" are only the goals *intended* to be achieved. The policy in no way acts to ensure that those goals are *actually* achieved.

    1. Historical password information rendered useless.

    Not if the user is adopting some date related component with an otherwise fixed password. e.g. xxxxxxxxxAPR2016. If you have someone's historical password then you can easily predict what their current password might be - just change the date component until you hit pay-dirt. (Numeric components, just keep increasing the numbers or - if you have a particularly creative user - decreasing them)

    2. Forces users to think periodically about security.

    NO! You might like to THINK this is what is happening, but all it forces is an awareness that there is an annoying security policy. This in no way guarantees what thoughts that awareness will then result in. In most cases the thoughts will not be "Hmmm, now I must carefully devise a new, secure password". It will in most cases be "Goddamit not again". Followed by an entirely though-free process of mechanically applying the algorithm the user has devised to generate a new password that satisfies the policy with the minimum of effort on their part. After all, this is just something that is getting in the way of their doing the things they actually want and/or need to do and which they want to deal with as quickly as possible. Rigor and diligence are simply not a factor, let alone any really serious consideration of security.

    3. Increases the likelihood that users will not use the same password on different services.

    There might be SOME element of truth in this one, except that being forced to routinely change their password by one service, the chances are high that they will simply incorporate their "normal" password (the one they use on all the services that do not force them to change it) in the rotating password that they use for the ones that do. If the password reset cycles are not in sync this in turn further increases the likelihood that the variation they adopt will be some date based formula, since this allows a user to make a good guess at a forgotten password within the common "3 strikes" window of opportunity (the month they think they last changed their password then one.month either side).

    4. Creates a moving target for hackers.

    Wrong. This final "conclusion" is predicated on an idealistic scenario arising and the previous 3 goals all having been met because the user is aware and complying with the expected, ideal behaviour laid out in those 3 goals.

    In reality the "moving target" is likely to be just a shuffling target. Barely moving at all (and worse: moving in a highly predictable fashion).

    People are not cogs in a machine that will behave the way that the designers of the machine want.

    1. schekker

      Could not agree more. In fact any business which considers its security so crucial that permanent passwords are not acceptable, should not depend on passwords at all. Period. Token authentication or 2-factor authentication are far more secure and far less bothersome than passwords which need to be reset every x days.

  17. Anonymous Coward
    Anonymous Coward

    Its not unreasonable for someone to set a good password once or twice but if asked to do it every month it becomes a problem, and people are good at solving problems.

    The only time passwords need to be changed regularly is if they are shared and you need to keep the pool of people who know it under control.

  18. Dadmin
    FAIL

    You are a hacker's wet dream, every single one of you!

    Are you saying you're an IT "pro" and you agree with this nonsense of single password, or other English dictionary words with some added "specials" on top? And you think that's secure, or you're a low-level target, so why bother setting a good password at all? Wow, pretty disappointed with what I'm reading here today from people who dare call themselves IT pros. Fucking disgraceful! Shame on the whole bloody lot of you! The hackers have won, and it's your own fault, you lazy stupid asshats.

    Here's the real deal; this "advice" would have been better served up in 2005. If you're a IT "Pro", and you're not already using your own password generator, or using completely random strings... shame on you, idiot. Two factor when and where possible. Natch.

    I guess to be fair you have a right to set your own security expectations lower, just like at your little site. Yes, your tiny brain hurts SO MUCH when you add that third password! Seriously, if you can't remember a few random strings, perhaps you need an easier job like a Starbucks Barista? Then you don't even have to remember your customer's name, you write it down and a fucking plastic cup. Then look up the recipe for the drinks you also can't remember... Hey, I just solved all your IT password problems! You're fucking welcome. Now, get the hell out of IT before someone who knows what their doing figures out that you don't. Bus wankers!

    Don't bother replying, I'm already miles ahead of you by now, and I already know what you think, and it's not very clever. Just play catchup and see if you can spot my arse out in the distance in front of you...

    1. Ken Hagan Gold badge

      Re: You are a hacker's wet dream, every single one of you!

      "Seriously, if you can't remember a few random strings..."

      Much as I regret replying to such obvious trolling, I feel strangely compelled to note that I have roughly 100 different passwords covering my various online activities. I have better things to do with my brain than remember that lot. If you don't, then you have my sympathy, but not much since you are clearly a bit of a sociopathic twat.

      1. werdsmith Silver badge

        Re: You are a hacker's wet dream, every single one of you!

        I don't think it's trolling, I think it's just a massive ego out of control

    2. Roo
      Windows

      Re: You are a hacker's wet dream, every single one of you!

      "Here's the real deal; this "advice" would have been better served up in 2005. If you're a IT "Pro", and you're not already using your own password generator, or using completely random strings... shame on you, idiot. Two factor when and where possible. Natch."

      Sadly "completely random strings" are not possible on the majority of systems folks use, simply because of the ever-tightening constraints on what characters you can use in a password and the order they are in. Not only that but there are still a lot of systems out there that don't validate more than "n" characters of a passphrase anyway. :(

      You really should get out more before deciding everyone is an idiot.

  19. Anonymous Coward
    Anonymous Coward

    I trust the spooks!

    as much as I trust the government and the banks. It's a solid, permanent, unwavering, stable and constant level of trust that's every easy to remember due to its simplicity.

  20. israel_hands

    The advice is pretty sound, actually, even if I don't really trust the bastards giving it (stopped clocks and all that).

    Forcing people to change their password every, let's say, 90 days makes it more likely they'll just stick a number at the end and increment it, which means if you break it once, you can probably break it again when the user changes it.

    That gives a false sense of security, which weakens the overall system. And the forced-changes themselves add to that. If you're making users update their passwords it's because you think it's more secure. The thinking is that even if their password gets cracked thy intruder will only get a limited amount of time. In reality they get between 1 and 90 days, most likely somewhere in the middle. If you can find or do what you want within that sort of timeframe then you could probably never do it anyway.

    It's the illusion of security, which is a weak point, and it pisses users off which leads them to be sloppy and resent any of the security stuff they have to put up with.

    1. Anonymous Coward
      Anonymous Coward

      It gets worse, if the admin is so super paranoid they implement some way of making it very hard to simply have word+digit incremented the users will just keep it on a sticky note on their desk... or laptops, I've seen it on laptops.

      I've always been a fan of one off long passwords, or core long passwords with something either side of them.

      Funniest thing is when you come across a system that complains your password is too long.

    2. John F***ing Stepp

      When I was doing these things I would use a phrase of over 40 charactors, change that to '133t' speak, then reverse the whole thing.

      Were I to run servers again I would now do something different.

      (because that scheme is now public)

  21. Anonymous Coward
    Anonymous Coward

    I've been saying this for a decade

    This advice is from the 90s when password exploits were typically based on an attacker getting hold of the encrypted passwords and running crackers or rainbow tables against them. People weren't required to have good passwords back then so they were possible to crack.

    Once you started seeing the uppercase/lowercase/number/punctuation type rules enforcing better passwords the return on investment for grabbing encrypted passwords was greatly diminished (at least for ones that protect real stuff, sites like El Reg that don't require good passwords could still have them trivially cracked, but there's no gain for anyone cracking Reg commentard passwords)

    You can enforce some pretty nasty passwords if they know they are able to keep them forever, at least for several years instead of only 90 days. I've seen some places that required admin passwords be reset every THIRTY days. You are pretty much guaranteed that people will either write them down, cycle through a list of 'good' passwords they use at other places, or do something like HardPassword1234 HardPassword2345 etc. (I used the latter)

    It will take another decade before this obsolete advice of frequent password resets gets removed from 'common wisdom' and checklists of generic security audits, unfortunately.

    1. nijam Silver badge

      Re: I've been saying this for a decade

      Only a decade? It's been obvious common-sense ever since the idiotic idea of frequent password changes started to creep into security policies.

  22. regadpellagru

    the problem with password change policy:

    is it dramatically weakens the ones of security aware people, and also weakens the ones of complete utter tools:

    - security aware people will have a complete random string, special chars, numbers, upper and lower case, no dictionnary word etc .... Forcing them to change it periodically will just make them force a common prefix and an incremental number after it, like in PASS01, PASS02, etc ... All of those with a very strong PASS. This is adding 0 security to those users and in fact decreases it, due to common prefix ... Retarded.

    - tools will generally try any dictionnary word they know + any number and largely write it down in order to retain it. Very low security, and largely lower security than if you allowed them their first/last girlfriend/boyfriend name. Retarded.

    All of this because of the argument of someone could have spotted the password above their shoulder, which rarely happens.

    I've always found those policies very detrimental to security. And this multiplies with big corporations having multiple ID systems and varying pass change period.

    Again, at the end, you end up putting them all in Excel.

  23. zsanfusa

    Agreed

    Quit being foolish. If changing pwds was a an easy crack then the Five Eyes wouldn't care! While your at it just go follow NSA's advice on encryption...

  24. Anonymous Coward
    Stop

    GCHQ suggests not changing passwords!

    In other news the National Poultry Association promotes Thanksgiving as a great day for turkeys to "get away from it all"

  25. unbender

    Ironic (given the subject) that no one has recalled this nugget yet

    Passwords have been done to death, but as always xkcd has summarised it raterh well: https://xkcd.com/936/

    1. David Nash

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Actually "CorrectHorseBatteryStaple" was mentioned in the very first comment.

    2. The Vociferous Time Waster
      Thumb Up

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Thank you, I was beginning to think nobody would repost that XKCD. It's almost like we've all seen it a million times.

    3. The Vociferous Time Waster
      Thumb Up

      Re: Ironic (given the subject) that no one has recalled this nugget yet

      Thank you, I was beginning to think nobody would repost that XKCD. It's almost like we've all seen it a million times.

      Did you study the Alanis Nadine Morissette school of irony?

      1. This post has been deleted by its author

  26. Anonymous Coward
    Anonymous Coward

    Well I'm not security expert or anything, but with encrypted password databases, why is this even a problem? Not that you should solely rely on password databases, but if you forget, you can lookup your strong password. There's no reason you would need to have an easy password.

    As for the password database security itself. Keep five backup copies and doodle an inconspicuous strong database password down on a random piece of paper in your file cabinet. Set the database to use 2 million rounds or so and it takes a powerful computer 1 second per attempt.

    And it's not only password changing policies that drive me crazy. There's just so many sites and services to register for! I have 72 accounts (that I remember)! Some of them are extremely important, but I access them maybe once a year or more. Who could remember so many strong unique passwords or strong passwords for seldom-used services? And some of these sites have password-changing policies which makes it even worse. I'm sold on password databases. You can have strong passwords for every site and service.

    1. CJ_C
      WTF?

      Why?

      Would you trust some corporation, likely American, so controlled under the useless Safe Harbor Agreement with your passwords, when their sole aim is to make money out of you? I will stick with paper, thanks.

  27. Stevie

    Bah!

    Passwords would be much more secure if their use was tracked and compared with previous usage patterns, like credit cards are.

    Override out-of-band lockdown with a two-factor authentication and Bob' yer muvver's bruvver.

  28. Winkypop Silver badge
    Joke

    What?

    Have we reached Peak Postit Note?

  29. Fascist Nation

    I hate to say they are correct but periodically forcing new passwords is BS. When y0ou do that y0ou make them easy to use affairs because you have to remember them. I'd rather use a password manager generating a long unique random ASCII sequence for every logon. Then all I need do is remember a long random master password.

    What I hate are websites that force me to use short uncomplicated passwords, will not allow cut and paste submissions (you try tying in a long series of ASCII), use weak crypto to secure the transaction, and for logons that may involve a cell phone you are forced to use a simple password because of the pain of typing it in on a phone and even the limited ASCII.

  30. Anonymous Coward
    Anonymous Coward

    Being careful, being simple.

    They always say "Don't Write Your Password Down!"

    They're scared, and rightly so, of the post-it note stuck to the monitor.

    But that is rather different from the notebook kept in a locked desk-drawer. Although, for some purposes, that might not be a good idea.

    Can password resets be the answer when the guy who authorises them fell under a bus?

    1. Ken Hagan Gold badge

      Re: They always say "Don't Write Your Password Down!"

      They are wrong. 7 billion potential attackers can't read your post-it note. (The locked drawer probably eliminates the others, as you point out, but for most domestic situations, the people with physical access to your drawers really *aren't* the threat.

  31. Oom Bryce
    Windows

    Password Encrypter ?

    Faced with a gazillion dictionary attacks, I wrote a crappy Javascript program that converts easily remembered passwords into a string of garbage e.g. 1234 becomes =O*02ydeOo9k etc.

    You just cut and paste the encoded password. Anyhow, it works for me and my fellow admin.

    Obviously, I can't post the source code, but it works on the enigma machine principle.

  32. Arachnoid

    All very nice havin 2FA and password mangers till your secondary device or software stops working then what you stuffed.

    Rather than making employees comply with company policy regarding accessing equipment a much easier solution,we had a 2FA software fitted to the euipment log in screen.The problem was the engineers who needed to access said equipment sometimes have problems getting the 2FA software runiing to generate a password so couldnt fix any issues until that was working.It got so bad some of the 2FA systems were disabled.

    1. Ken-in-Houston

      The Wrong 2FA Solution?

      It just sounds to me like you were using the wrong 2 Factor Authentication solution.

      There are many out there, but I use Lass Pass: There is an encrypted store on my laptop, and one in the cloud. So, I can access the cloud when not at my pc, and I can utilize the local datastore when I cannot get online.

      For me, it works great and I would recommend it to everybody!

      1. Seajay#

        Re: The Wrong 2FA Solution?

        That doesn't sound like 2FA to me. That's a password manager, which is completely different.

        Lastpass allows you to use 2FA to log in but it isn't in itself a 2FA solution.

  33. WatAWorld

    Sysadmins won't like it?

    Sysadmins won't like it?

    Yeah, sysadmins won't like it because they used to be the only people not forced to change passwords -- they won't like it because everyone will have the same privilege.

    Some sysadmins.

  34. WatAWorld
    Headmaster

    Some history

    Yeah, changing passwords on a monthly basis has not made sense in a long time.

    A bit of history. The original premise (as told to me in 1978 or so) was that passwords were 8 characters, true on IBM mainframes of the day. It would take a month to brute force the 8 character password. (Remember, a brute force attack back then meant a lot of manual typing.) So we mandated changing passwords once a month.

  35. WatAWorld

    What, no free GCHQ sponsored password registry?

    I'm a bit surprised the GCHQ and NSA haven't gotten together to create a free password registry/manager for people, a la LastPass.

    1. Ken-in-Houston

      Re: What, no free GCHQ sponsored password registry?

      Love me some LassPass!

  36. Anonymous Coward
    Anonymous Coward

    Changing passwords regularly

    Makes it easier for the admin or any other staff member to impersonate others as the password will be written down somewhere the user can get to on a Monday morning.

    This is from personal experience, the stuff nightmares are made of, you walk into a room and all the user credentials are posted on the monitor, in the first page of their workbook or on the desk/draw.

    Best one I saw was a user who would write his corporate username and password on the whiteboard facing his desk, that whiteboard was about eight feet from a ground floor window.

    The stupid it hurts.

    Don't get me started on the highest paid members of staff who think requests for passwords beyond a name or dictionary word once a decade is firing talk.

  37. Lee D Silver badge

    I work in schools.

    My first act upon taking on my most recent job, for a large prestigious prep school, was thus:

    - Stop the stupid automated 30-day "passwords must be reset" that generated dozens of calls every day as various people's password expired when they were off-site, so they couldn't log in remote, and wouldn't let them use any password they've used in the previous year resulting in - I kid you not - things like P4ssw0rdFeb2014.

    - Stop the stupid length restrictions on AD passwords and a few other services ("You must have a secure password but hey, you can't have one THAT secure"?!).

    - Actually implemented password retry limits on the remote desktop (Literally, WTF?!)

    - Encourage all staff to choose a handful of REALLY DECENT passwords on the promise that I wouldn't expire them literally before they got back from half-term.

    - Totally refuse to implement remote-password changing, which would have been at great expense both in money and security. You want to change your password? Come prove who you are to me rather than be some random IP on a web interface. Your password is compromised? TELL ME and I'll block everything from getting in as you, from email to access control, and then I can also check and have something to tell the Data Controller should access have been compromised.

    - Print out and display the relevant XKCD cartoon, especially emphasising the bottom part:

    https://xkcd.com/936/

    - Once a term, stand up in the relevant staff meetings and say "Is it time to change your passwords?" and leave it at that.

    Instantly, much less crap passwords, no more Post-Its stuck to work-area monitors used by particular people, much less staff stress, much fewer helpdesk calls, zero compromises, no children guessing staff passwords, much more honest staff when they think they may have revealed their password (by typing into a spam email link or whatever) and the number of password resets just "because I've forgotten it" plummets even among the children.

    And the biggest complaint now? Their Apple IDs have onerous password requirements so a few of them have just changed one of their main passwords to be "Apple compliant" too.

    As the first act in a new job, it generated a lot of buzz, especially from my boss (the Data Controller). At that point I dug out the relevant word of law (part of which only says "regularly", not "frequently" - once a term is regularly, as is once every ten years) and copied in articles like this from a variety of sources.

    Number of queries of the policy since doing that, even from Data Controller, external audits, inspectors, governors, etc.? Zero. Reason I have the job? Last guy lost all their data, so they are crawling up my backside about everything from disaster recovery to remote compromise to cyber-blackmail to encrypting viruses. But radical password policy that means my users have more secure passwords and much less hassle? Zero.

    It does help that I'm a mathematician, though, I think, so I can literally explain brute force numbers in seconds in a way they can understand. Password compromise is something that isn't affected by the length and strength of your password, and that's infinitely more likely. And brute force is much more unlikely on a random English sentence with perfect spelling and grammar than some hard-to-remember, impossible-to-write-down concoction just to satisfy having numbers in it.

  38. 0laf Silver badge

    I'm quite happy to tell user to write down their passwords and store them in their wallet/purse. Just don't write down the whole password. Pick a character (£$%*& etc) shove that in there and remember where but don't write that bit in.

    Generally people take reasonable care of wallets and purses and even if it gets lost the restricted number of attempts will foil anyone trying to guess the password manually.

    Myself I build passwords from [word1][date of reset][word2]

    That followed on from a conversation with a pen tester where he outlined that it was very easy to break password hashes where a dictionary word had a number at the end.

    Breaking up a word or two words with a number or symbol made it far harder to crack.

    The advice from CESG follows the GDS mindset which is to place responsibility on end users. i.e. here you trust them by not enforcing password resets.

    But you are trustubng them to choose strong passwords, to care for those passwords and to monitor users within your environment.

    Reality is that a significant number of users are lazy shits that don't give a toss and will happily have crap passwords that don't change, write them down everywhere and the management will refuse to pay for the product or person needed to monitor users.

  39. Phil W

    Simple choices for complexity

    I often hear complaints from users, both where I work and elsewhere, about how much of a pain password complexity rules are and how difficult it is to come up a new password regularly.

    These complaints are annoying, not because the users don't appreciate the value of security but because using sufficiently complex passwords that are hard to guess and reasonably hard to brute force is actually not that difficult, unless you work in government or high profile business that's likely to come under a well resourced/state sponsored cyber attack you don't need a totally random sequence of numbers, letters and special characters as a password just one that moderately powered cracking won't break in a short amount of time.

    You can simply construct a password out of numbers and words that have meaning to you but are not related to the system the password is for and wouldn't be immediately obvious to others.

    For example the name and extension number of someone you call regularly at work, maybe your boss, might well be quite memorable giving something like Richard8417. While it would make a terrible password for work systems wouldn't be too bad for an unrelated personal email account or bank login. At work perhaps your father's date of birth and your mother's middle name giving you something like 2608Nancy.

    For an extra bit of complexity throw an exclamation mark, 2608!Nancy would be relatively difficult to crack but have significant meaning to you to make it memorable and unless the person trying to crack your work account has detailed personal background information on you to help the process along this should be secure enough.

    If you can remember them, post codes (zip codes) can be useful password components.

    Passwords made of memorable components can be secure enough for most purposes as long as you pick ones that have no relevance to the system the password is for or better yet are quite obscure, such as the phone number/post code of somewhere you used to work 10 years ago, or your old school, house you grew up in but haven't lived at for some time etc.

    This level of complexity, combined with a password lockout policy to prevent sustained brute force attacks, should be more than enough for most purposes.

    1. Pedigree-Pete

      Re: Simple choices for complexity

      I for one like old car reg numbers mine and my Dads going back decades. Chuck in a few !s and $ or £ if you prefer and Robert is indeed your Mothers brother. PP

  40. David Thomas

    Blame the user as usual

    Instead of continuing to blame the users, the industry should spend time and money developing proper security systems. Biometric are good but some dna or quantum approach would be better

  41. David Thomas

    Stop blaming the users

    GCHQ and the IT industry have a long history of blaming users for lapses in security. The industry needs to develop real security. Biometrics are a start but DNA or some quantum approach would be better.

    1. Phil W

      Re: Stop blaming the users

      DNA, fingerprints and other biometric security are actually terrible ideas. Entry level to mid level fingerprint scanners are unreliable, and prone to getting dirty and being inaccurate and/or are easy to fool, anything decent is expensive. DNA is impractical as with current technology and anything we're likely to have in the foreseeable future it would simply take to long to authenticate.

      Some fingerprint scanners can also be fooled with fingerprints copied onto paper or other material, do you know of any good mechanism for resetting your fingerprints once they've been compromised like you would with a password?

      Putting aside the practicalities of implementation for a moment, do you really want to secure valuable things using your DNA or fingerprints? If it's valuable enough you're just encouraging someone to remove your fingers or blood which is both bad for you and not terribly secure since fingers are far more easily broken than a complex password.

      Also at least with passwords you can either hand them over and potentially not be harmed, or lie to the person trying to get it from you (not necessarily a good idea but it's an option).

      Reliably extracting data from someone's mind is next to impossible, as much as the security services would like you to be believe torture (sorry, enhanced interrogation) is effective it often isn't and could easily lead to death before the correct information is retreived.

      As for a "quantum approach" , what form do you envision that taking? Sure quantum computing could open up some more advanced avenues of encryption but strength of encryption is rarely the main security issue these days, but the nature of the key used to unlock it whether that be a password/passphrase or physical key of some sort. These can all be cracked/lost/forgotten/stolen etc.

      The real future (and even present) of secure authentication is two (or higher) factor authentication, whether than be multiple code entries or physical factors like RFID/smartcards.

  42. MJI Silver badge

    When I got forced to change regularly

    At a previous job.

    I resorted to the Platform 5 book of passwords (OK loco spotting book)

    Started at Dreadnaught and worked up. If they needed numbers I would have added the 5 digit number

  43. NBCanuck

    Guilty

    At work we have a forced password reset on the network every three months, and I am guilty of using an incremental system most of the time, and only change the base password occasionally.

    That being said....

    I do have unique passwords for every single site I access. Passwords consist of a base password and something unique to each site. Base password is phrase along with special characters, caps and numbers. So if my phrase was "Hickory dickory dock, the mouse ran up the clock" I would use something like:

    Hdd88,tMrutC!

    No words, random, but not difficult to remember. Not a perfect solution but has worked for me.

  44. MrKrotos

    I have gotten in to the habit of checking if a new password I want to use is in rainbow tables before I use it.

    Way I see it, its the best test for bruteforce testing my password before use.

    Cant remember the rainbow table I use, but I do know it has the passwords lifted from many hacks (Sony included I think).

    Looking through the list of passwords can be a very interesting and eye opening experience!

  45. BrianT

    The obvious way to generate an easily remembered password which nobody is ever going to crack is to change your keyboard to something like Arabic or Kanji in your settings and then type in your easy to remember password (eg password01_&) and your password is guaranteed to be uncrackable gibberish.

    Of course that does depend on the service supporting Unicode.

    1. Rimpel

      I'm going to have fun typing that password on my phone...

  46. David Thomas

    Stop blaming the users

    The real issue is that the IT industry should devise some other means of security than forcing us to invent and remember increasingly ridiculous passwords which we have to change, apparently at the whim of power-crazed sysadmins. So why not devise an approach based on biometrics or dna or quantum mechanics. The present system is yet another example of the IT industry's distressing tendency to blame the users for its own failings.

  47. Ken 16 Silver badge
    Devil

    Ideal password to defend against being forced to reveal it

    "OverMyDeadBody...Bitch!"

    Useful against customs agents, police, muggers, kidnappers etc.

  48. Thomas 6

    Why do sysadmins know that the users are using weak passwords? If the passwords are visible in the clear then the sysadmins are not doing their job properly.

    1. Ken-in-Houston

      Mainframe and other legacy telnet apps have allowed sysadmins to have access to plain text password files. More modern apps (for the past 15 yrs) don't allow that.

    2. tom dial Silver badge

      Why do sysadmins know that the users are using weak passwords?

      They run straightforward brute force attacks or use rainbow tables on the hashed databases and examine the others. Either way they find a great many weak ones.

      And yes, some system developers (not mainly the admins, who don't control it) have thought for some reason that hashing or encrypting the passwords is unnecessary or too much work.

  49. MR J

    I have been in the back of several bank branches and can tell you their passwords are generally not that great, they put their passwords on sticky notes on the screen in case someone else needs to use the computers.

    A business will say that they want security, but they will do little to help the staff deliver on it, then that forces staff into situations where they are doing wrong just to make it through the day.

    I use basic throw-away passwords on many things, but it irks me how I can go to a site that will ask for a password and I will put in a 22 digit password that it rejects (8 digits are "words") due to not being secure enough, yet "FekY0u" will get a huge green tick and say "Thanks! for picking a secure password"

    Perhaps the truth here is all a bit more logical.

    They are finding that the rainbow tables are too big to store on a single USB stick that can be left on a train, so they are trying to get users to stop that from growing.

  50. Ken-in-Houston

    Use Password Manager S/W

    This advice is ridiculous.

    Any organization, even any individual, who is not using Password Management software is begging for problems. Use this software, auto-gen and rotate your passwords routinely and have them saved in this sort of app, and then use a single, complex password with multi-factor authentication to access your datastore. It doesn't get any better than this.

    1. jzl

      Re: Use Password Manager S/W

      "use a single, complex password with multi-factor authentication".

      This is what they're saying.

      Why is it good when you say it, but bad when they do?

  51. jzl

    Ad Hominem

    Advice stands on its own, independent of the giver. If it is good advice, it is good advice. If it is bad, likewise.

    This is good advice, regardless of who is speaking.

  52. noj

    I only skimmed all the posts

    So I might have missed it but I didn't spot mention of a password manager. I have well over 100 passwords, professional and personal. I don't trust clouds with my password vault so I keep on an encrypted computer. Of course there are encrypted backups too.

    My organization requires password changes every 90 days. I'm fine with that; I just create another password using the password manager and I'm good. When there is no password change expectation I change them periodically anyway. A forum password won't be changed as often as a financial institution password but they all change eventually.

    I feel the effort is worth it and not much of a bother given the benefit. If there is a breach at my bank, my hope is that I've changed it before it can be used by someone other than me.

    I feel like a good password manager that works with your workflow is the easy answer to what, in my opinion, is just one of the more mundane but necessary parts of living in the digital age. I have strong passwords, changed with some frequency, and stored as safely as I can come up with.

  53. Joe Montana

    Poor passwords

    The poor passwords people use on systems are partly down to the regular change requirement... People simply won't remember a new random password every month, they will pick something that is easily remembered and/or write it down.

    If you don't force them to constantly change their password, they only have one to remember and it becomes much easier to remember a single strong password than a new one every month.

    The problem is that people are too unwilling to challenge what they've been told for years

  54. Russell Lee

    Distopia UK

    It is my hope that people are not as stupid as the UK government thinks they are.

    This is a surveillance state telling the people to not take precautions to keep their information private.

    What will it be tomorrow, "Locking your front door is really a bad way to keep strangers out of your house, in fact, it causes more stress in your life to have to use your key just to open your door!"

    Wake up to the police state people, there are cameras everywhere in British cities TO MONITOR YOUR LOCATION, not to keep you safe.

    Regards,

    Russell Lee

    1. briesmith

      Re: Distopia UK

      Pass the Bacofoil, Mother.

  55. JaitcH
    Happy

    SysOps Revenge

    The president of a company that manufactured banking terminals issued a missive that required people to change their passwords monthly.

    So the SysOp set it up for the management logins and left the rest of us 'as is'. Management was so impressed that they gave him a special mention in the company rag.

    Bullsh*t really does baffle brains.

  56. This Side Up

    It's good advice

    When I was working we had to change passwords every 45 days so of course I had to write them down. Also you weren't allowed to have any dictionary words or permutations of dictionary words or numeric or alphabetic sequences or repetitions of the same character etc. It strikes me that the more rules you make the easier it becomes to crack the password by brute force, because so many combinations can be ruled out. You can discover the rules by trying to create or change a password because the system will tell you why your password can't be used!.

    On the other hand I have a feww critical passwords which aren't recorded anywhere. I can remember them but it's very difficult if you're asked to enter the 7th, 12th and 15th characters for example. And they are completely meaningless character strings so there is no easy way to remember them. On the other hand knowing my interests isn't going help you.

  57. CJ_C
    Coat

    Just write them down

    Not changing password was recommended by IBM many years ago. It is a mystery why so many organisations were fixed on a counter productive change regime. If somebody who wants it gets your password they will use it now not in 4 weeks time.

    I reuse a few passwords not written down, with salt for sites that I regard as not being important, like TheRegister. For my machine passwords they are not written but then I have not changed them in many many years. For important sites like banks, they are hugely complex and written down, because that is the only way I can remember them, in a book kept next to my computer, in a mildly obscured form that I trust would fool a passing opportunist, but not I am sure a real spook, but then they have, I am also sure other means of accessing my accounts...

    I think I have been safe, so far, touch wood, but who can be sure? I did have card details stolen once, but my bank spotted it before it was used. I think they were for sale on a list somewhere.

    All the above is very slightly inaccurate, but I will not say how.

  58. Anonymous Coward
    Anonymous Coward

    Password reuse is going to be rampant

    Since there are arbitrary rules on password expiration and since there are rate limits, timeouts and lockouts if I use the wrong password, I simply found it easiest to follow the shortest expiration and change all my passwords on that date. And I change all passwords to the same one. Seriously, if any of them are cracked, there would be potential for high damage anyway, so why bother?

  59. Cynic_999

    Being a techie, I used to use "BlackBrown", then it's "BlackRed", then "BlackOrange" and of course after "BlackWhite" comes "BrownBlack" If there's a minimum length I can start with "BlackBlackBrown"

  60. Gulraj Rijhwani
    Mushroom

    Mis-statement of the problem

    The problem is not changing passwords, per se, but the lengths users must go to to create and memorise/store sufficiently uncrackable passwords in each instance. Using a password utility which requires memorising only one master password is one solution (although keep backups, and don't use a "cloud" solution). Another is to accommodate and indeed capitalise on the way human memory works and to teach people mnemonic memory methods for creating passwords unique to - and known only by - them, rather than trying to remember arcane random character strings.

  61. ChubbyBehemoth

    Ehm,.. do windows logins still have the backwards compatibility with NT hashes?

    Haven't taken a look at those for quite a while, but it used to be that only the first 7 characters of a Win system password got hashed and the rest was just irrelevant. As the first 7 characters were often car brands, names (wife, child, dog), etc. it used to be fairly simple work to brute force those. Pretty sure it never changed for XP systems and those are still backwards supported by more modern setups.

    If so, long passwords seem to be quite irrelevant to me.

  62. Lee303

    GET A JOB

    GCHQ - GET A JOB. Pretending to be looking after our interests when you're just an extension of crack-pot Looney Toons 'murica. You don't even know who you're meant to be watching! Considering that "terrorists" (of today) are employees of Britain, 'murica (F@£k yeah!), Israel & all other klingons, what exactly is your job? Oh that's right - same like all other middle class twits of UK who are terrified of real work - parasites like employment agencies, estate agents, cold callers, etc. You are pointless since the UK gave it's empire to 'murica, & started kissing the ass of Ireland (rightly so). GET A JOB

  63. Asterix the Gaul

    This makes me LMFAO,the NSA\GCHQ are taking the proverbials.

    Ever changed a login name\user password on some site & get the whole caboodle in plain TEXT in a 'confirmation' email from the website?

    It's a known FACT that NSA\GCHQ collect the content of ALL emails & share the data between them.

    It doesn't take a high IQ to figure out just how stupid these sites are,when they do this.

    I blame Microsoft for the above mess,one should be able to use a PINsentry device as a password system,it's impossible to defeat as only the pin holder knows the key & any capture is pointless when it's only valid one time.

  64. Anonymous Coward
    Anonymous Coward

    Layman's view: Post it notes - the best security for the online age?

    The low tech approach seems much more secure to this layman. Using sticky notes would enable longer, more secure passwords to be written down that can be easily changed regularly without stressing fading memories or taxing support staff with forgotten passwords. So long as it's kept in an individual's wallet or purse, then I'd regard that as much safer than pretty much any currently available technical means to protect it. And if as suggested, there was a substitution on at least one character then it'd be useless to anyone who did read it anyway.

  65. arctic_haze

    One word passwords

    I agree with the advice of not making people change the complicated password every month or quarter. The will never be able to remember which is the actual one.

    However simple one word passwords are too easy to break. Long ago I used a large library of words to test passwords in the company. I broke about 1/3 of them within an hour. I still remember one of them. I'll tell you why.

    The afternoon after this exercise I traveled with some guys from the company to a conference. I told them what I did and one of then, a Russian answered that his password is unbreakable because it is a Russian word written in Latin characters. I simply said "korova" (I still remember it means a cow) and he instantaneously went white. I still don't know what he kept on his account but he absolutely freaked out.

    I heard not long ago the sad news that the guy passed away back in Russia. Whatever files he had, he was a friend.

  66. P. Lee

    > making small adjustments. Password_1 going to Password_2 won't fly

    >System sees last digit is a number, replaces that number with n-1, generates hash result (for Password_3 in this example) and sees if it is a match with existing password hash. If it is, slapped wrist.

    Usually defeated with passwor1d, passwor2d etc

  67. Anonymous Coward
    Anonymous Coward

    In 2002 I had to phone Virgin customer service about my dialup connection. I was asked by the female customer service agent for my password, she was laughing whilst I dithered.

    I glowed bright red, almost lost the power of speech, nearly hung up and considered never using the internet ever again...

    I bit the bullet and said "pu**ylips". I've never used a rude password ever since.

    Thank gawd they no longer ask for passwords, because of security of course.

    edit: it may have been NTL

  68. gareth-coffey

    If you have crappy user management, and want to avoid having your accounts pwned, you might consider a 14 day password expiry. However, you may consider that 'Holiday1', 'Keyboard99' will probably be cracked faster than you can CTRL + ALT + DEL.

    User security should be constantly monitored and evolved, if users are having difficulty remembering passwords or meeting stringent password requirements perhaps you need to review your current policy. What can you do to appease your users but without compromising on security?

    Get creative and don't take GCHQ's advice of simply extending the period in which a users password can be cracked.

  69. Door614a
    Facepalm

    What's behind the Green Door?

    Room 614A - Spying Pornography - Wake on LAN (WOL) magic packets - SWAP enabled UEFI and copies of Snoopy running on SIPR_net apparently!

    Who need's "passwords" when you can just instruct NVRAM to store the pesky thing along with your self signed security certificates in the first place!

    Don't bother with passwords - "Hey fuck you, we're not all Android users, waiting for Drones to come and play bug squash and kiss our ass with multiple hops!"

    Android Shell (Ash) not as harmful as the Bash Shell (ShellShock) RC Shell with Open RC for the Win! Then they say we need a decentralised way to communicate securely?! It's called BarnOwl dip-shit MIT has been using it for years - with that pesky thing called Encryption! You know the stuff that supposedly protects you from OpenSource wielding terrorist's using advanced Unix standards!

  70. manabu

    I have used N0password! as my passowrd on many of of my systems where two factor authentication is available and "Tell" others I use no password.I think two factor authentication is the way to go for most IT infras instead of asking people to change passwods.

  71. TXITMAN

    Not using the same password across multiple accounts is the objective here. Once your email account is compromised it is a simple thing for the criminals to take over your life.

    I force password changes when there is a large turnover, or a key person leaves. We make sure that all the accounts that we can find are reset.

  72. computinghomer

    write your own excel macro to keep your passwords

    I too cannot install software at work, but I do have good ole excel with VBA. Wrote my own password keeper that encrypts the file with a stream cipher.

  73. ste-fu

    They might be right...

    Forcing password changes on daily use accounts compromises security, as all the comments here show. Password123! will be accepted almost everywhere. Microsoft *ducks* have published some interesting research recently. Setting a higher minimum length just means that the majority of passwords will be at or just over that length. Their recommendation: ban common passwords prior to hashing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like