Security industry welcomes GCHQ password guidelines

Information security industry representatives have welcomed GCHQ’s publication of guidelines on business password policies.

The document compiled by the UK intelligence agency suggests that by simplifying the approach to passwords, businesses can “reduce the workload on users, lessen the support burden on IT departments and combat the false sense of security that unnecessarily complex passwords can encourage”.

In line with this approach, the guidelines say users should not be forced to change their passwords on a regular basis, but should only do so if there is an indication or suspicion of a breach.

The reasoning is that employees could end up choosing simple, easy-to-remember passwords if they are required to change them often.

The document says password strength meters ought to be banned and replaced with a blacklist of predictable passwords and controls to limit the number of unsuccessful log-in attempts allowed.

GCHQ says password managers are helpful, but says they are risky in the sense that the security of a password is tied to the security of the password manager.

The document says passwords should never be shared and organisations should implement the use of tokens to grant temporary access to data in an emergency.

The document also highlights the need to change from pre-installed defaults and advises that system administrators should only issue passwords where they are required.

Nigel Hawthorn, European spokesman at cloud security company Skyhigh Networks, said the security industry is “awash” with password advice, but much of it is contradictory or simply not suited to modern working.

“The result is that passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today,” said Hawthorn.

Research by Skyhigh Networks has shown the average European employee is using 23 different cloud services.

“With each one comes a new password, or at least it should. But because user convenience usually trumps security, the same passwords are used time and time again. Hacks that can be traced back to a reused password are a dime a dozen, so it’s great that GCHQ has addressed the issue as part of its advice,” said Hawthorn.

GCHQ support for a ban on strength meters may surprise some, he said, but analysis of 12,000 cloud services has shown 80% would allow “weak” passwords according to the traditional strength meter.

“But the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy for computers to guess,” said Hawthorn.

Ross Brewer, vice-president and managing director of international markets at LogRhythm, said the number of sites and systems that require passwords today is huge and remembering that many log-in details can prove a challenge. 

“However, passwords do offer a certain level of security and – until a viable solution is found – we need to encourage organisations to employ policies that make them as robust as possible,” he said.

Brewer questions GCHQ’s advice that passwords be changed only when there are indicators of compromise. “This could leave the door open to hackers for a long time,” he said.

Although changing passwords every 60 or 90 days is a hassle for everyone involved, Brewer said it does generally ensure the credentials remain unique. 

“Compromised credentials are one of the top reasons for breaches and – while it isn’t foolproof – regularly changing them may well stop a hacker in their tracks. What’s more, it often takes businesses months to detect a breach,” he said.

Brewer believes changing passwords may also help identify someone illegally trying to access the network. 

“If a user is repeatedly attempting to log in with an invalid password, it may indicate something untoward is happening – and with the right security analytics tools in place – an attack could be thwarted,” he said.  

Brewer concedes changing passwords regularly is unlikely to stop unauthorised access, but he said it will “throw a temporary spanner in the works”. 

However, he added that preventing a breach is becoming increasingly futile. “Some businesses are starting to focus their attention on where it needs to be – responding to attacks as swiftly and efficiently as possible,” he said.

According to Brewer, the ability to monitor user behaviour, particularly that of privileged users, is more important than ever. 

“With the right systems in place, organisations are able to detect changes in patterns of behaviour in real-time and immediately identify when credentials are compromised. 

“Clearly, passwords don’t offer the protection they once did, but combining a robust password policy with advanced security analytics is a better defence than nothing, and will allow businesses to respond-in real time to prevent any damaging data loss,” said Brewer.