Slashdot Mirror

← Back to Stories (view on slashdot.org)

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Posted by timothy on from the tell-that-to-every-company's-it-department dept.

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

3 of 148 comments (clear)

  1. Re:Makes sense by DaphneDiane · · Score: 4, Informative

    electric company account (please break in and pay my bill for me!)

    You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.

  2. Microsoft Research and Their Password Policies by HannethCom · · Score: 4, Informative

    Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.

    The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.

    How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.

    For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.

    --
    Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
  3. Obligatory xkcd reference by Anonymous Coward · · Score: 2, Informative

    https://xkcd.com/936/