Slashdot Mirror

← Back to Stories (view on slashdot.org)

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Posted by timothy on from the tell-that-to-every-company's-it-department dept.

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

4 of 148 comments (clear)

  1. Re:Makes sense by Anonymous Coward · · Score: 5, Insightful

    Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.

  2. Re:They want us to make it easier for them? by Anonymous Coward · · Score: 5, Insightful

    The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.

  3. Re:They want us to make it easier for them? by sudden.zero · · Score: 5, Insightful

    Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!

  4. Re:Too similar by jrumney · · Score: 5, Insightful

    Or they frequently forget their password, and after getting sick of all the support requests for password reset, an automated password reset system is put in place that has more security holes than the passwords they are trying to block. Even if the system is not automated, think about the potential for social engineering attacks when forgotten passwords are a daily annoyance for helpdesk staff that they just want to get out of the way as soon as possible.