Stop changing your password every 30 days says GCHQ

By Chris Dawson February 16, 2017 - 8:52 pm

Ciaran Martin, the head of GCHQ’s new National Cyber Security Centre, has rubbished the practise of changing passwords on a monthly basis.

For years businesses have forced regular password changes on employees and it just doesn’t work, bemused by the constant change, so many people just use append a couple of numbers to a previous password meaning for decryption purposes it’s exactly the same.

Ciaran explained that constant password changes and advice never to use the same password for different services is the same as expecting you to remember a new 600 digit number every month. He said “None of my best people can do that so we shouldn’t tell other people to do that“.

To remember, passwords people write them down, promptly forget them and have to request password resets, or simply use weak passwords or use the same password for every service they use.

If spies and cyber security experts can’t remember new passwords every month, there are only two things you can do. Either create a single strong password and use one of the many online password managers, or set memorable but difficult to crack passwords.

How to create a strong password

A good password will contain lower and upper case characters, numbers and special characters. However a phrase can make it much easier to remember, for example everyone can recall “Jack and Jill went up the hill to fetch a pail of water”. Taking the first letters we get JAJWUTHTFAPOW. To turn it into a strong password we could then use J@Jwuth2f@p0w which is highly memorable but way more difficult for hackers to crack than something like “Februarypword02” or similar.

If you’re like me and never change your passwords, take heart – all these years people have been telling you to change them every 30 days, but ignoring their advice, you’ve been doing the right thing.

If you do change your passwords regularly then stop, make one super strong password for each service you use and stick with it.

  • Dave
    2 days ago

    Combining upper case and numbers into a password has a slight increase in complexity and thus a slight increase in difficulty to crack but ultimately becomes a whole magnitude harder for a normal human being to remember. It is infinitely more beneficial to increase the length of a password, without adding any numbers, upper case OR special characters!

    J@Jwuth2f@p0w being harder to crack than Februarypword02 ?
    Thats just factually incorrect.

    J@Jwuth2f@p0w would take a computer approximately 3 million years to crack based on the number of character combinations available.

    Februarypword02 however would take 609 million years. 609!! Thats over 200 times more secure!



    • 2 days ago

      I’ll take my chances for the next 3 million years ;-)

      Incidentally, Februarypword02 has a single capital letter. Remove it and use februarypword02 and your same tool says it can be cracked in 175 thousand years. A mix of upper and lower case (no matter how small) does make a difference!

    • Dave
      2 days ago

      You’d forget it after 1 ;-)

    • 2 days ago

      Probably Dave! *sighs* :-)

    • Dave
      2 days ago

      Sure, I’m not condoning either your password choices. I would suggest using “jackandjillwentupthehill” which is incredibly easy to remember, and would take 7 QUADRILLION years to crack :-D

      Adding an additional lower case character increases the password entropy more than changing a single letter to upper case or replacing it with a special characters does

  • Paul
    2 days ago

    SnowWhite&theSevenDwarves – The best 8 character password available.

  • Toby
    2 days ago

    Our staff have started by using the Month & Year, when forced to change it every month, so we have now stopped forcing them to change it.

  • james
    2 days ago

    it’s about time somebody with some bloody sense stopped spouting spurious “advice” that they really dont have a clue about.
    all the “advice” vendors these days seem to actually be thinly disguised adverts, and either dont help or actively hinder real world situations. password advice is a prime example.

    passwords are here for humans to use, dont make them impossible for humans to use, it’s not productive.

    the calculations here as to how long a computer would take to do something are making some massively incorrect assumptions, but that’s all we really have to go on.

    3 million years? I’d bet good money that in 15 years we’ll have AI around that can do it in a weekend.
    just mentioning AI, most passwords crackers would not start guesssing at “0001” and work their way up, that’s a dumb attack in every sense of the word, anyone attempting to brute force your password these days would use a smart approach, and the cracker would be set to start on the most likely answer, such as “password”.
    – run the word “password” or “password01” through one of your entropy tests and it will give you a number, unless that number is 0.01 seconds it’s wrong, every password cracker will start at “password” or “password01” and attempt “februarypword02” variations LONG before it attempts anything with @ or ! or – in it.

    like, if you’re six and play hangman, you might throw out Z! P! B! as your first three guesses, because they’re your favourites, or start at A because it’s first. password crackers would win hangman every round becuase they dont operate like that.

  • 2 days ago

    The most important advise is to use a different password for every service!

    I use LastPass to manage mine :-)

    • james
      2 days ago

      i also use lastpass, but it makes me paranoid for the day someone hacks lastpass.

    • 2 days ago

      Your passwords are behind double encryption so it isn’t even possible for LastPass staff to view them.

    • james
      2 days ago

      …and they’re hashed and salted many many times, so theoretically will be very difficult to hack. but NOTHING is impossible, just more and more likely every day.

    • 2 days ago

      You don’t have to decrypt the stored passwords, you just need to get hold of a user’s log in password which is the weak point. If you’re using any such service you want a single really strong password which you’ve never emailed, written down or divulged.

    • 2 days ago

      Yes, a very strong master password is essential. I also use a unique username/email address that has never been used for anything other than LastPass.

      There are also many ways to set up multifactor identification if you want more than the master password protecting you. I’m currently using LastPass plus touch ID on my phone. You can even use a hardware multifactor solution such as YubiKey.

  • Hendreforgan
    2 days ago

    On the face of it Lastpass sounds OK . . but wait . . what about what Chris said : “You don’t have to decrypt the stored passwords, you just need to get hold of a user’s log in password which is the weak point”?

    So . . you’re using Lastpass or similar on your smart-phone . . and it gets stolen.

    Opps. All that is required on one piece of electronic gear.

    Not easy, is it?

  • 2 days ago

    LastPass on my smart phone is useless to anyone unless they have my master password AND fingerprint.

    How do you login to sites and services from your phone? Are you able to remember 10’s of, if not 100’s of strong passwords? Remembering just one strong password is about my limit…

  • 2 days ago

    Last pass on my phone requires my fingerprint for sign in so even if my phone is stolen they need my fingerprint also :-)

Have your say

View our Comment Policy

Tamebay eBooks
Concise, focused information