It is one of the banes of modern life – you finally come up with a memorable yet secure password for your office computer, only to be told just a few months later that it has expired and you have to find a new one.
But now Britain’s security services themselves have decreed that workers may be safer from hackers if they do not have to keep changing passwords.
In a new briefing to Whitehall, power stations, banks and the public sector, cyber experts at CESG – the information security arm of intelligence agency GCHQ – concluded, “It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack.”
The advice continues, “Most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one. Attackers can exploit this. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out. CESG now recommends organisations do not force regular password expiry.”
The advice comes as Ministers urge greater protection against cyber crime, after a survey found two-thirds of large businesses suffered an attack or security breach in the past year.