Benefits are not enough to justify the disruptions, says government’s cyber security organisation
The National Cyber Security Centre (NCSC) has said that organisations should drop the policy of frequently requiring employees to change their computer passwords, describing it as a “blunt instrument that casts a long shadow over organisational security”.
It has published a blogpost that says the costs of the policy, in terms of disruptions to workflow and productivity, outweigh the benefits, which are often exaggerated.
The blog says that password expiry creates vulnerabilities of its own, such as pushing people to use weaker passwords, writing them down, re-using them across different systems and changing them in tiny ways.
“Attackers can and do exploit all these dodges,” it says.
It acknowledges that sometimes there is a firm case for changing passwords, notably when there are suspicions that a system has been compromised, but that if doing so regularly looks like a good idea it is a sign of larger problems.
For example, users could be sharing passwords – which goes against good practice – because they do not have workable ways of securely sharing information. Or they may not understand their role in helping their organisation to secure its information, and to manage and audit access.
The NCSC does not have the power to mandate its recommendations, but the Government is promoting its role as the centre of expertise in cyber security and its intervention could prompt a rethink about the policy in some public sector organisations.
Image by Automobile Italia, CC BY 2.0 through flickr