UK’s Spy Agency Wants Users to Stop Resetting Their Passwords – No Joke

[Danielx64]

LMAO like seriously:

Link: http://wccftech.com/uk-spy-agency-gchq-asks-users-to-stop-resetting-passwords/

If you are tired of being forced to reset your password, at least the UK’s Government Communications Headquarters (GCHQ) is with you.

On a day dedicated to passwords, GCHQ’s Information Security Arm posted a blog post repeating its advice against the most common security practice of routinely changing passwords. “In 2015, we explicitly advised against it. This article explains why we made this unexpected recommendation, and why we think it’s the right way forward, ” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. CESG has published a 16-page document titled “Simplifying Your Approach” that explains to businesses how they can secure information without demanding users to reset their passwords. The UK government thinks that the public can’t handle having too many passwords and would eventually forget them which “makes matters worse.”

I would say that changing passwords make it harder for the UK to spy on people.

 

[Lisa]

Reading the article, I can see what they're saying in a way. People have a tendency to use a set of passwords all the time and just shuffle them around. Chances are for many people all they do to change the password is to add a 1 at the end (I've seen it lol)... it'd make more sense to add another layer of security - like 2FA, for instance - so that the password doesn't need to be reset every month or x days.

 

[Empire]

Do they want us to stop changing TheAdminZone passwords too :O?

 

[Danielx64]

I can also see it that way as well but I also feel that telling people not to change their passwords is also dangerous if not more. Not every website have 2FA, not everyone can use 2FA for one reason or another. what if 2FA fails because you can't get the text as you don't have converge? Maybe better education is needed?

 

[zappaDPJ]

I haven't read the article yet but I've seen and read of a number of instances where a site has been compromised causing sensible people to change their password which subsequently turned out to be a mistake. It's not uncommon for people to rush to change passwords on unsecured sites, something I'm sure cyber criminals have in mind when they attack sites.

In addition the very act of changing a password is a vulnerability in itself if your computer is being key logged and a huge number are. I don't know how credible this report is but it claims 48% of 22 million computers scanned were infected with malware: http://www.zdnet.com/article/report-48-of-22-million-scanned-computers-infected-with-malware/ I bet there are a few key loggers in there.

So yeah, I can think of of multiple reasons why changing passwords might not be a good idea and at least as many reasons why you often should. Damned if you do, damned if you don't!

 

[Danielx64]

The other problem is that patches and what not being installed putting people at risk. Out of date anti virus is also another problem as well.

 

[ozzy47]

Do they want us to stop changing TheAdminZone passwords too :O?

Ummm, no. LOL

 

[Robust]

Yeah, I'll tell you what they're thinking:

"We figured out the pass for one account, let's hope all accounts are the same"

It's a damn spy agency. Their primary focus isn't to help people protect their privacy lol. Disregard their "advice" - it's horrible advice. Even a 1 on the end is better than without the 1 on the end - it's a harder password than previously. They'd have to know the original to know the 1 on the end, which means they'd get in anyway. The 1 just adds more possibilities for what the modified pass could be. Although, you can (and should) change it more than just a "1". I don't change my passes regularly myself, since they're all 24 chars long with mixed case and numbers, generated using a password manager.

Additionally, changing your pass means it will be encrypted using a newer hash. We developers don't traditionally reset all passes every time the algo is changed. Really old passes could still be in md5 and functioning. Updating your pass will mean it's using the latest algo, assuming the remote site updates their encryption algos.

 

[Spiralcannon2-CW]

Sadly I have a bad password and don't know where to take it, I never remember generated passwords and have bad passwords at all times.

There was one I used that was really good once but someone got it.