The government of the United Kingdom recently released new guidelines for passwords, which said that complex password policies and changing a password regularly do not have much value.
When every system needs a different password, the complexity settings for each system are set high and password changes are enforced frequently – the outcome is not better security.
“Through research, in collaboration with the Research Institute in the Science of Cyber Security, we’ve learnt about how trying to make passwords “more secure” means systems end up less secure,” it said.
“When we’re overloaded with passwords, we all end up “breaking the rules”: we use the same passwords across different systems; we use coping strategies to make passwords more memorable (and thus more easily guessed), and we store passwords insecurely.”
Worst of all, making password policies complex doesn’t stop attacks. Attackers who have stolen a password database – even if hashed and salted – can generally brute force the majority of the passwords.
Attackers who only get a few tries at guessing passwords (such as with a well-designed online service, or enterprise IT network with throttling and lockout) will be stopped by a fairly short password.
The majority of password policies are in the middle of this – they give us passwords that are too short to prevent brute force attacks, but that are much more complicated than they need to be.
“The result is that we’re asking users to put in more work remembering complicated passwords, for no actual extra security benefit.”
The image below provides an overview on password security from the UK government.