Companies should NOT force customers to keep changing their passwords – GCHQ

Yesterday's World Password Day was centred around awareness of passwords, encouraging people to change them on a frequent basis.

'Passwords are like underwear – change them frequently,' is one strapline associated with the day.

But the most unexpected recommendation from yesterday came from the UK government, which said that companies should NOT force customers to routinely change their passwords, contrary to popular advice.

On Twitter yesterday, the GCHQ's CESG (Communications-Electronics Security Group) came forward to reiterate its argument that the ‘usability costs’ and inconvenience caused outweighs any benefits on frequently changing passwords.

'In 2015, we explicitly advised against it (changing passwords),' the British intelligence and security organisation wrote in a recent post. 'This article explains why we made this (for many) unexpected recommendation, and why we think it's the right way forward.'

> See also: It's official, we're doomed: the 25 most popular passwords of 2015 revealed

The security organisation's justification for this: most people have dozens of passwords they have to remember on a daily basis, and the majority of password policies force us to use passwords that we find hard to remember. When forced to change them, people are likely to switch to a password that's very similar to the previous one, making them easy to exploit.

The new password is often going to be written somewhere as they're more likely to be forgotten. Though counterintuitive, the organisation argues that not forcing regular password expiry reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation.

To argue whether or not consumers should regularly reset their passwords is a topic ripe for discussion, but arguably the the bigger issue still remains – that username and password authentication is inherently insecure.

'Basic good housekeeping with respect to passwords should always leverage secure storage (salted hashing as opposed to encryption or clear text) and the need for users to comply to complex password policies for example),' said Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock.

'However, we should not simply rely on username and password based authentication as a barrier between our sensitive information and the rest of the Internet. It’s time for companies to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security.'

> See also: 75% of people think sharing passwords is dangerous – but 55% still do it

'One option,' advises Moffatt, 'is to add multi-factor authentication, such as one time passwords, mobile push based authentication, biometrics or a combination. But as robust as these methods are becoming, they still rely on a ‘lock and key’ approach to security – once you’re through the door, you have free rein over the data within. The next big step forward will be continuous, behaviour-based authentication and authorisation.'

'This will involve creating a user behaviour profile, which gathers key criteria that make up the 'normal' usage pattern for any given user. Any deviation from the pattern will raise a red flag and lead to additional security questions or even removal of access. Importantly, this kind of technology will run entirely in the background, so the user will only ever be impacted if their behaviour is deemed to be suspicious.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach