èƵ

New advice is use fewer passwords – why the change of tack?

Unique, strong passwords, changed frequently, has been the mantra for all the websites we log into. Why is that advice under attack, wonders Paul Marks
A keyboard with "secure password" spelled out on the keys using several symbol characters in place of letters
…or is it?
David Malan/Getty

The minds behind the UK’s Government Communications Headquarters (GCHQ) – heirs of code-breaking computing pioneer Alan Turing – have pronounced that long-standing advice on internet password security is ineffective.

After Edward Snowden’s revelations about GCHQ’s role in mass personal data harvesting alongside the US National Security Agency, sceptics may be inclined to take such guidance with a pinch of salt. But we should cut them some slack: this point is a powerful one.

Until now the official advice has been to set a different strong password for every website we log in to, and to change it regularly. Strong tends to mean not including whole dictionary words – which are easily guessed in unsophisticated computer attacks – and including non-alphanumeric characters, such as £, $ and *.

But the new advice is to . The problem is we end up in a constant circle, pressing “forgot password” and resetting time and time again. This only encourages people to reuse passwords, lowering security overall.

Less is more

So, as GCHQ opened the doors of its new (NCSC) in London last week – where it aims to shore up corporate and public data security – the centre’s CEO Ciaran Martin revealed some fascinating research that turns the old advice on its head.

Staff had worked out that what they were asking every UK citizen to do was equivalent to memorising a new 600-digit number every month. “None of my best people can do that. So we shouldn’t be telling other people to,” says Martin.

Instead, the NCSC is now recommending that people use a software-based password manager, which avoids the need to do this. Use one strong password to log in to the manager, then it handles website logins, automatically pasting access details into boxes when required.

Pasting in passwords (from a list kept in a Word document, say) has been a moot point in security circles. Some websites actively prevent pasting, supposedly on security grounds. But those grounds , the NCSC says. They are a received wisdom. Websites that block password pasting also block password managers – and the NCSC wants to see that end.

Buried treasure

Some concerns have been raised that a web browser’s “autofill” feature for easy form filling might allow hackers to stored in this way in seconds from some password managers. The makers of managers are starting to use .

The change of tack by GCHQ/NCSC coincides with a curious piece of market research from US firm Cybersecurity Ventures, revealing the size of the password problem: there are 90 billion passwords in use online today – but connecting our fridges, lighting, heating systems, toasters and the like will take that to .

While biometrics such as facial recognition may help replace some passwords, it is clear that password managers will soon become the invaluable aides-memoire of the tech ecosystem.

Maybe even Turing, GCHQ’s inspiration, could have done with an aide-memoire at times. Alarmed at the threat of a Nazi invasion, he bought two silver ingots and : by the time the war was over, he had forgotten where his treasure was and never accessed it again.

Topics: Computer crime / Hacking / Internet / Privacy