Passwords? It’s enough to give you a headache

Passwords - despair in front of laptop

Life was so much easier when all we had to remember was a 4 figure PIN to get money from the cashpoint machine. Nowadays we need passwords for almost everything we do online and most people have many accounts and registrations that require passwords, which we are meant to remember – it’s enough to give you a headache.

We are told by every budding security geek that our passwords need to be strong or complex, that they should be at least so many characters long, that we shouldn’t re-use them, that we shouldn’t write them down, that we should change them regularly, that we should… STOP – rewind that last bit… We are now being told we don’t have to change passwords regularly – HOORAH!

CESG’s updated guidance on passwords

This revelation was included in new guidance on passwords published by CESG in 2015 ” Password Guidance: Simplifying Your Approach “, although it does point out that ‘It is not intended to protect high value individuals using public services‘.

There was a lot of good guidance in the document as you would expect. The main eyebrow raiser was the change in thinking regarding forcing users to regularly change their passwords. CESG is now recommending that organisations do not force regular password expiry. This was unexpected and CESG recently decided to explain their thinking further .

A summary of the main reasons are:

  • new chosen passwords will be very similar to the old one, so attackers can often work out the new password, if they have the old one;
  • new chosen passwords will often be weaker than the old one, because it’s easier for the user to remember;
  • the new password may be one that has been used for something else;
  • a new password will probably be written down;
  • a new password is more easily forgotten.

CESG is calling for improved password policiesthat place fewer demandson users. They put more onus on administrators to help lessen the burden on users and recommend the use of system monitoring tools to do this.

If this guidance is followed, from a user perspective, whilst they may not have to change account passwords as often as they used to, they will have to pay more attention when logging in so that they can check that there have been no unknown events such as failed login attempts or that the last recorded login was actually theirs. They will also need to have a quick and easy way for reporting any suspected issues.

Think it won’t happen to you?

If you think your passwords are safe – or that other people’s password misfortune won’t happen to you – you could be in for a nasty surprise.

This infographic from CESG is featured in their password guidance. We think it shows just how easy it is to have your password stolen – so we’ve included it in this article. Cyber criminals use a number of password hacking techniques, some sophisticated – some just plain guesswork.

How passwords are discovered














Crown Copyright 2015

In conclusion

CESG’s recent guidance is definitely a positive step in the right direction for the user although arguably a very small one. Unfortunately we still have to remember the same number of difficult to remember passwords, so not much has changed in reality. The demise of the password was predicted some time ago but it doesn’t look like the headache is going away anytime soon.

If you haven’t had enough of passwords and want some other ideas on how to create ones that are strong and memorable, please see these articles from the Ascentor blog:

How to Create Strong, Memorable Passwords that are Difficult to Crack

How to Create Strong, Memorable Passwords that are REALLY Difficult to Crack

Now, pass me the Aspirin!

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.

Email: [email protected]

Office: 01452 881712


Other posts you might like

An ounce of prevention could be worth a ton of cyber attack cure

Ransomware – Back up or Pay up

Ten Top Tips for writing Information Risk Appetite Statements

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.