Government’s cyber advisory organisation says the practice brings minimal risks and organisations should not forbid it
The National Cyber Security Centre (NCSC) has said there is nothing wrong with pasting passwords and that organisations could actually weaken their IT security by forbidding the practice.
It says in a new blogpost that when the public is dealing with an organisation they should be allowed to paste passwords and that this can improve security as it helps to reduce password overload.
NCSC has previously said in its Password Guidance that most users have to deal with too many and emphasised the advantages of password managers, which choose, store and enter passwords into online forms.
It debunks the ‘no pasting’ on three grounds, all of which undermine good practice:
- It encourages the re-use of the same passwords for different websites.
- People are more likely to choose very simple, and therefore easy to guess passwords.
- They are also likely to write them down in places close to the screen.
In addition, the risk of pasting being used to plant malicious software, or of being lifted by an intruder if they remain on a computer’s clipboard, are very small.
In short, it says that the pros of pasting outweigh the cons.
“It is a mystery where stopping password pasting came from,” it adds. “No-one has pointed to a paper, a rule, an RFC (technical standards document) or anything else that started it off.”
NCSC recently criticised another element of what is commonly regarded as good practice in calling for an end to password expiry policies.
Image by Automobile Italia, CC BY 2.0 through flickr
