Friday 18 September 2015

GCHQ Password Guidance

GCHQ recently updated their password guidance:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

A few interesting points:

Don't make passwords unnecessarily complex
This drives me nuts. It takes ten tries to get a password accepted and then two minutes later you've already forgotten what was eventually accepted, before you've even had a chance to write it down.

Users don't need to frequently change passwords
This was the only one that came as a surprise, but their explanation does make sense.

Don't replace characters in a word with something similar (ie. '5' for 's' or '!' for '1')
I've been saying this for a while. It's easy to implement a dictionary attack and substitute certain characters, eg. 0pt1c5 (optics) or 5ugar (sugar). I'm surprised to see this practice being recommended in some quarters. This also includes mixing capital and lowercase characters, as it's still easy to launch a dictionary attack.


No comments:

Post a Comment