​Poacher turned gamekeeper? GCHQ issues advice on safer passwords

UK surveillance and intelligence agency GCHQ has come up with a list of best practice advice on the use of passwords.

GCHQ: Combat the false sense of security that unnecessarily complex passwords can encourage. Image: GCHQ/Crown Copyright
Britain's GCHQ has issued firms with a helpful list of measures to defend against password breaches, an area cited in the Edward Snowden leaks as a particular expertise of the surveillance agency.

The new guidelines, which focus on seven areas, includes advice against forcing users to change passwords at regular intervals and suggests making administrator accounts a priority for especially robust measures.

It also warns against storing passwords as plain text, counsel which GCHQ itself failed to heed in 2013 when it emerged that it was a practice used by a legacy system on the agency's career site.

GCHQ cyber security director general Ciaran Martin's foreword to the guidelines criticises complex passwords for usually being unsuccessful in frustrating attackers and for making life harder for users.

"By simplifying your organisation's approach, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage," Martin said.

The familiar first tip for system owners is to ensure default passwords are changed, particularly on essential infrastructure devices such as routers, wireless access points and firewalls.

Along with the suggestion that passwords should only be used on systems where they are really needed, the GCHQ document also says users should be allowed to record and store their passwords securely.

There should also be a general policy of helping users cope with password overload, employing technology, such as single sign-on, to reduce the burden and only asking for a new password "on indication or suspicion of compromise".

The document says studies of user-generated password schemes show they encourage insecure practices, such as reusing passwords or adopting predictable strategies to generate passwords, such as replacing 'o' with a zero.

"Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Most dictionaries for brute-force attacks will prioritise frequently used words and character substitutions. This means that systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack," GCHQ said."

The use of technical controls to defend against automated guessing attacks is far more effective than relying on users to generate, and remember, complex passwords.

Password strength meters may also be a bad idea because although they may help users avoid the weakest passwords, they often miss other factors that can make passwords weak, such as the use of personal information, and repeated characters or common character strings.

The GCHQ guidelines also advocate account lockout, throttling - introducing time delays between login attempts - and protective monitoring as powerful defences against brute-force attacks.

"Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience. Account lockout also provides an attacker with an easy way to launch a denial-of-service attack, particularly for large-scale online systems," GCHQ said.

"If using lockout, we recommend you allow around 10 login attempts before the account is frozen. This gives a good balance between security and usability."

According to the Snowden leaks, a 2009 GCHQ document discusses the impact of the agency's activities being made public, citing as an example its exploitation of poorly-chosen passwords.

"Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness, generating unwelcome publicity for us and our political masters," the document said.

More on security