Stop using difficult-to-guess passwords, UK's spying agency GCHQ recommends

'Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users,' the agency warns

Andrew Griffin
Friday 11 September 2015 15:57 EDT
Comments
A painting of the government listening station GCHQ (L) is displayed at the 'A Year with MI6' exhibition at the Mount Street Gallery on February 14, 2011 in London, England
A painting of the government listening station GCHQ (L) is displayed at the 'A Year with MI6' exhibition at the Mount Street Gallery on February 14, 2011 in London, England (Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The British spying agency, found to have been conducting wholesale surveillance on UK citizens, has recommended that the public make their passwords less complex.

In a brand new document called ‘Password guidance: simplifying your approach’, the company gives a range of guidelines to keep consumers safe. That includes rolling back previous guidance “that complex passwords are ‘stronger’” — instead recommending that people simplify their approach.

The agency gives a range of hints to those working in IT as well as normal consumers.

Those include warning people to change their default passwords, to make sure that accounts can be locked out if they’re under attack and avoid storing passwords as plain text files that can be read by anyone.

The agency also warns against the problems of “password overload”. That is what happens when people create too many complex and unmemorable passwords, which leads them to write them down or re-use them and so become unsafe.

Those complicated passwords are often the result of organisations imposing rules about the complexity of passwords — requiring that they are a certain length, for instance, or include special characters. But instead companies should just create more security rules, so that people can use their own, more simple passwords.

Those simple passwords might be made up of just three simple words, for instance. Or users could sign up for password managers — software that generates and then stores the passwords so that are both complex and never have to be remembered.

“Software password managers can help users by generating, storing and even inputting passwords when required,” the report says. “However, like any piece of security software, they are not impregnable and are an attractive target for attackers.”

That second sentence might be of note to people looking to use the password — GCHQ itself has been found to have been attacking security services used by British citizens, in an attempt to make it more easy to conduct its surveillance and spying operations.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in