New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

← Back to Stories (view on slashdot.org)

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Posted by timothy on Thursday September 10, 2015 @09:03AM from the tell-that-to-every-company's-it-department dept.

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

2 of 148 comments (clear)

Min score:

Reason:

Sort:

This matches how people function by WillAffleckUW · 2015-09-10 09:09 · Score: 5, Interesting

If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)

--
-- Tigger warning: This post may contain tiggers! --
1. Re:This matches how people function by dpidcoe · 2015-09-10 09:40 · Score: 5, Interesting
  
  Yep. When I worked in IT, security kept enforcing stricter and stricter password guidelines. Eventually it boiled down to basically every. single. user. picking a password in the format of [Kids name][kids birthdate]![number representing how many times they'd had to change their password]. It got to the point where if I had to fix someones computer but they weren't at their desk I'd just check their hire date and multiply number of years worked by 4 (for the end number) examine whatever family pictures they had framed there and have the password in 3-5 guesses.
  
  This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.