Government security arm calls for ‘dramatic simplification’ of password policy

10 Sep 2015, 7:49 pm

IT security guidance published by Government this week advocates a “dramatic simplification” of current approaches to password policy and offers advice to those responsible to argue for a more realistic approach.

iStock_dra_schwartzThe document was published this week by CESG, the Information Security arm of the Government Communications Headquarters (GCHQ), and the Centre for the Protection of National Infrastructure.

The foreword of Password guidance – simplifying your approach’ (read the executive summary) says that the document “contains advice for system owners responsible for determining password policy. It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords”.

It also claims to differ from previous advice by avoiding asking users to get “ever more entropy into passwords” and to remember several complex passwords.

Instead, it calls on system designers and security architects to think more about where they require passwords and what they’re trying to achieve with them. It also offers advice and practical steps on making systems more secure.

“The conversation we’ve had with people all around the public sector hasn’t been a happy one when it comes to passwords”, writes Jon Lawrence, CESG’s Technical Director for Assurance, on the CESG blog. “When every system needs a different password, the complexity settings for each system are set high, and password changes are enforced frequently, the outcome is not better security”.

The guidance also aims to help implement strategies to reduce the workload caused by complex passwords. “When we overload users with passwords, there’s the cost of dealing with increased password resets and account lockouts,” writes Lawrence. “And by putting up barriers in the name of security, we reduce the functionality of systems and make it harder for people to do their jobs”.

CESG collaborated with the Research Institute in the Science of Cyber Security to inform the document and as a result, found that efforts to make passwords more secure can damage security.

“When we’re overloaded with passwords, we all end up breaking the rules: we use the same passwords across different systems”, writes Lawrence. “We use coping strategies to make passwords more memorable and thus more easily guessed and we store passwords insecurely. Jokes about passwords on sticky notes underneath keyboards aren’t jokes”.

CESG welcomes feedback on the guidance in comments at the end of the blog by CESG’s Jon Lawrence or by emailing: enquiries@cesg.gsi.gov.uk .

 

Image credit: iStock.