New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

This matches how people function

[WillAffleckUW]

If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.

(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)

(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)

Re:This matches how people function

[dpidcoe]

Yep. When I worked in IT, security kept enforcing stricter and stricter password guidelines. Eventually it boiled down to basically every. single. user. picking a password in the format of [Kids name][kids birthdate]![number representing how many times they'd had to change their password]. It got to the point where if I had to fix someones computer but they weren't at their desk I'd just check their hire date and multiply number of years worked by 4 (for the end number) examine whatever family pictures they had framed there and have the password in 3-5 guesses.

This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.

Password reuse?

[YrWrstNtmr]

Let's ask former Ashley Madison members.

Re:Makes sense

Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.

Re:They want us to make it easier for them?

The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.

Re:They want us to make it easier for them?

[sudden.zero]

Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!

Re:Too similar

[jrumney]

Or they frequently forget their password, and after getting sick of all the support requests for password reset, an automated password reset system is put in place that has more security holes than the passwords they are trying to block. Even if the system is not automated, think about the potential for social engineering attacks when forgotten passwords are a daily annoyance for helpdesk staff that they just want to get out of the way as soon as possible.