GCHQ Password Guidance: Can You Trust It?

GCHQ, the UK government spy agency have recommended that people use simpler, easy to remember passwords, suggest banning password strength meters and regular password changes.

But can you trust security advice that comes from the same people who were found to be unlawfully conducting mass surveillance against its own citizens?

Maybe. Maybe not. But in what appears to be something like an attempt to salvage something of their reputation, GCHQ’s Password Guidance document offers advice that goes against what most of us perceive as being common sense when it comes to password creation, and some that does not.

So just what do GCHQ recommend you do?

OK, we’ll get straight to the point. GCHQ recommend first and foremost, that you…

Change all default passwords:

And most importantly, make sure you change the default passwords on new hardware devices such as Routers and Wi-Fi terminals. Factory-set default passwords that are left unchanged on internet capable and internet gateway devices are especially open to being accessed from the outside world. In 2012, “several hundred thousand unprotected devices” were utilized by the “Carna Internet Census” to show just how many devices still had their default passwords in place.

Password Overload:

According to the GCHQ guide, most people typically have to remember around 20 different passwords. As a result most people suffer from “Password Overload.” They have to remember too many passwords. Being forced to change them periodically may do  more harm than good. The reason? Regular password changes have only minor benefits.

“Stolen passwords are generally exploited immediately,” negating the benefits of changing passwords regularly. GCHQ also make the valid point, that when people choose new passwords, they tend to just be a minor variant on the old one, e.g. Password 1 will become Password 2. This is an example. Don’t use ‘Password’ as part of your password, ever. If you do, please stop reading this now, and go change your password to something else.

Don’t store Passwords in plain text or .Doc files:

Rather, they should be encrypted using a password manager, which in itself is only as good as the encryption software that comes with it. A password manager of course requires a password as well to access it, which is another password to remember. But should your device or information be compromised on one device, at least all your other accounts will be protected. It goes without saying that Filehippo.com does of course have a range of free, virus and malware checked, password managers available to help you. [Warning: That was a shameless plug.]

Password Strength Meters aren’t all that helpful:

Yes, they do help “steer” users away from the weakest of passwords, but they don’t account for factors that can also make passwords weak; such as using the names of children, or other personal information that can make passwords insecure. For example, using Oliver as part of a password, but changing the O for a zero may fool a password meter, but an experienced hacker will know to look for that sort of change. In short, password meters don’t check for predictability. GCHQ also recommend having a blacklist of the most common password choices.

So should you trust their advice?

I am conflicted. I am no conspiracy theorist, but I am reminded of the following saying: “Do not judge a tree, by the fruit it talks about, but by the fruit it bears.” Now, as much as I want to write that you shouldn’t pay credence to GCHQ’s advice, most of it does make sense. So it’s probably a good idea to at least read and follow some of it.

Poor password creation and storage are one of the main culprits when it comes to data breaches and hacking, as hackers will take advantage of any opportunity they can get. But it’s food for thought anyway. Still, even if GCHQ’s guide is full of good advice, I couldn’t really blame you, if you chose not to heed their warnings.