Slashdot Mirror

← Back to Stories (view on slashdot.org)

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Posted by timothy on from the tell-that-to-every-company's-it-department dept.

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

22 of 148 comments (clear)

  1. Makes sense by AuMatar · · Score: 4, Insightful

    The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.

    --
    I still have more fans than freaks. WTF is wrong with you people?
    1. Re:Makes sense by Anonymous Coward · · Score: 5, Insightful

      Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.

    2. Re:Makes sense by DaphneDiane · · Score: 4, Informative

      electric company account (please break in and pay my bill for me!)

      You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.

  2. This matches how people function by WillAffleckUW · · Score: 5, Interesting

    If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.

    (caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)

    (extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:This matches how people function by dpidcoe · · Score: 5, Interesting

      Yep. When I worked in IT, security kept enforcing stricter and stricter password guidelines. Eventually it boiled down to basically every. single. user. picking a password in the format of [Kids name][kids birthdate]![number representing how many times they'd had to change their password]. It got to the point where if I had to fix someones computer but they weren't at their desk I'd just check their hire date and multiply number of years worked by 4 (for the end number) examine whatever family pictures they had framed there and have the password in 3-5 guesses.

      This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.

  3. Password reuse? by YrWrstNtmr · · Score: 5, Funny

    Let's ask former Ashley Madison members.

  4. Portable one-time key password generator .. by nickweller · · Score: 3, Insightful

    A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.

  5. My bank is the worst. by jtownatpunk.net · · Score: 4, Insightful

    Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.

  6. Reflexive, symmetric, transitive... by Okian+Warrior · · Score: 3, Interesting

    Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.

    So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.

    OK - got it.

  7. that's what I do now. Better might be algorithmic by raymorris · · Score: 4, Interesting

    That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.

      I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.

    For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.

  8. less password01? by sims+2 · · Score: 4, Insightful

    Does this mean I won't have to change my password from password01 to password02, password03 ect?

    You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.

    Simple1! fulfills most companys password requirements.

    If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy

    It will have to stop changing on a arbitrary basis.

    --
    Minimum threshold fixed. Thanks!
  9. Re:They want us to make it easier for them? by Anonymous Coward · · Score: 5, Insightful

    The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.

  10. Microsoft Research and Their Password Policies by HannethCom · · Score: 4, Informative

    Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.

    The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.

    How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.

    For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.

    --
    Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
  11. Re:They want us to make it easier for them? by sudden.zero · · Score: 5, Insightful

    Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!

  12. I got a different password for every site by future+assassin · · Score: 4, Insightful

    Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  13. Re:They want us to make it easier for them? by Bert64 · · Score: 4, Insightful

    They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Re:They want us to make it easier for them? by NicBenjamin · · Score: 4, Insightful

    I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.

    I doubt it's secure, but it allows me to avoid hassles.

  15. Or.. by s.petry · · Score: 4, Insightful

    You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.

    While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.

    Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  16. Too similar by Jumunquo · · Score: 4, Interesting

    They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.

    1. Re:Too similar by Applehu+Akbar · · Score: 4, Insightful

      "Think up other schemes?" No, they just start writing passwords down. Behavior becomes less secure.

    2. Re:Too similar by jrumney · · Score: 5, Insightful

      Or they frequently forget their password, and after getting sick of all the support requests for password reset, an automated password reset system is put in place that has more security holes than the passwords they are trying to block. Even if the system is not automated, think about the potential for social engineering attacks when forgotten passwords are a daily annoyance for helpdesk staff that they just want to get out of the way as soon as possible.

  17. Re:They want us to make it easier for them? by Anonymous Coward · · Score: 4, Interesting

    I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.

    Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.

    Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.

    The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.

    I left not long after that. I heard that he got fired a few years later, so at least there is a god.