Stop changing your password every 30 days says GCHQ
Ciaran Martin, the head of GCHQ’s new National Cyber Security Centre, has rubbished the practise of changing passwords on a monthly basis.
For years businesses have forced regular password changes on employees and it just doesn’t work, bemused by the constant change, so many people just use append a couple of numbers to a previous password meaning for decryption purposes it’s exactly the same.
Ciaran explained that constant password changes and advice never to use the same password for different services is the same as expecting you to remember a new 600 digit number every month. He said “None of my best people can do that so we shouldn’t tell other people to do that“.
To remember, passwords people write them down, promptly forget them and have to request password resets, or simply use weak passwords or use the same password for every service they use.
If spies and cyber security experts can’t remember new passwords every month, there are only two things you can do. Either create a single strong password and use one of the many online password managers, or set memorable but difficult to crack passwords.
How to create a strong password
A good password will contain lower and upper case characters, numbers and special characters. However a phrase can make it much easier to remember, for example everyone can recall “Jack and Jill went up the hill to fetch a pail of water”. Taking the first letters we get JAJWUTHTFAPOW. To turn it into a strong password we could then use [email protected]@p0w which is highly memorable but way more difficult for hackers to crack than something like “Februarypword02” or similar.
If you’re like me and never change your passwords, take heart – all these years people have been telling you to change them every 30 days, but ignoring their advice, you’ve been doing the right thing.
If you do change your passwords regularly then stop, make one super strong password for each service you use and stick with it.
Combining upper case and numbers into a password has a slight increase in complexity and thus a slight increase in difficulty to crack but ultimately becomes a whole magnitude harder for a normal human being to remember. It is infinitely more beneficial to increase the length of a password, without adding any numbers, upper case OR special characters!
[email protected]@p0w being harder to crack than Februarypword02 ?
Thats just factually incorrect.
[email protected]@p0w would take a computer approximately 3 million years to crack based on the number of character combinations available.
Februarypword02 however would take 609 million years. 609!! Thats over 200 times more secure!
LENGTH TRUMPS COMPLEXITY
I’ll take my chances for the next 3 million years 😉
Incidentally, Februarypword02 has a single capital letter. Remove it and use februarypword02 and your same tool says it can be cracked in 175 thousand years. A mix of upper and lower case (no matter how small) does make a difference!
You’d forget it after 1 😉
Probably Dave! *sighs* 🙂
Sure, I’m not condoning either your password choices. I would suggest using “jackandjillwentupthehill” which is incredibly easy to remember, and would take 7 QUADRILLION years to crack 😀
Adding an additional lower case character increases the password entropy more than changing a single letter to upper case or replacing it with a special characters does
SnowWhite&theSevenDwarves – The best 8 character password available.
Our staff have started by using the Month & Year, when forced to change it every month, so we have now stopped forcing them to change it.
it’s about time somebody with some bloody sense stopped spouting spurious “advice” that they really dont have a clue about.
all the “advice” vendors these days seem to actually be thinly disguised adverts, and either dont help or actively hinder real world situations. password advice is a prime example.
passwords are here for humans to use, dont make them impossible for humans to use, it’s not productive.
the calculations here as to how long a computer would take to do something are making some massively incorrect assumptions, but that’s all we really have to go on.
3 million years? I’d bet good money that in 15 years we’ll have AI around that can do it in a weekend.
just mentioning AI, most passwords crackers would not start guesssing at “0001” and work their way up, that’s a dumb attack in every sense of the word, anyone attempting to brute force your password these days would use a smart approach, and the cracker would be set to start on the most likely answer, such as “password”.
– run the word “password” or “password01” through one of your entropy tests and it will give you a number, unless that number is 0.01 seconds it’s wrong, every password cracker will start at “password” or “password01” and attempt “februarypword02” variations LONG before it attempts anything with @ or ! or – in it.
like, if you’re six and play hangman, you might throw out Z! P! B! as your first three guesses, because they’re your favourites, or start at A because it’s first. password crackers would win hangman every round becuase they dont operate like that.
The most important advise is to use a different password for every service!
I use LastPass to manage mine 🙂
i also use lastpass, but it makes me paranoid for the day someone hacks lastpass.
Your passwords are behind double encryption so it isn’t even possible for LastPass staff to view them.
…and they’re hashed and salted many many times, so theoretically will be very difficult to hack. but NOTHING is impossible, just more and more likely every day.
You don’t have to decrypt the stored passwords, you just need to get hold of a user’s log in password which is the weak point. If you’re using any such service you want a single really strong password which you’ve never emailed, written down or divulged.
Yes, a very strong master password is essential. I also use a unique username/email address that has never been used for anything other than LastPass.
There are also many ways to set up multifactor identification if you want more than the master password protecting you. I’m currently using LastPass plus touch ID on my phone. You can even use a hardware multifactor solution such as YubiKey.
On the face of it Lastpass sounds OK . . but wait . . what about what Chris said : “You don’t have to decrypt the stored passwords, you just need to get hold of a user’s log in password which is the weak point”?
So . . you’re using Lastpass or similar on your smart-phone . . and it gets stolen.
Opps. All that is required on one piece of electronic gear.
Not easy, is it?
LastPass on my smart phone is useless to anyone unless they have my master password AND fingerprint.
How do you login to sites and services from your phone? Are you able to remember 10’s of, if not 100’s of strong passwords? Remembering just one strong password is about my limit…
Last pass on my phone requires my fingerprint for sign in so even if my phone is stolen they need my fingerprint also 🙂
I use LastPass, the best tenner spent, in my view more important than AV, but it goes with out saying a I use to my the best, and I’m always trialing new ones. Used Kaspersky, for a few years but then conflicts came so I now use Norton AV
GCHQ, the entity that would most likely want to access person details, telling us not to regularly change passwords… seems fishy to me, Chris.
That said, I’m a firm believer in the strength of my password, but I also believe that if someone skilled enough really wanted access to my personal details, they’d be in within minutes. It’s just a numbers game, hoping you aren’t an unlucky one!
GCHQ dont need your password, in the same way theydont need the key to your front door. they have their own master key.
@james, and I thought I was the one wearing the tinfoil hat here 😉
it’s not paranoia if it’s true….
Conspiracy theorist, a healthy mind frame! BC