Don't keep changing your password, advises GCHQ

Emma Woollacott
Updated
password box
password box



Security service GCHQ is advising computer users that they shouldn't change their passwords regularly - a radical departure from the usual advice.

The reason isn't, as you might suspect, to make it easier for GCHQ to spy on people, but because the agency believes changing passwords too often makes us sloppy.

It's a particular danger where policies force users to change passwords regularly, whether they want to or not, says GCHQ's cybersecurity arm, the Communications-Electronics Security Group (CESG).

"When forced to change one, the chances are that the new password will be similar to the old one. Attackers can exploit this weakness. The new password may have been used elsewhere, and attackers can exploit this too," it warns.

"The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords."

Instead of forcing regular changes, says CESG, organisations should start telling users when their account was last accessed, so they know if someone else has been trying to log in.

According to a recent survey from Intel, the average person has 27 different sites that they log into, from Facebook to email and online banking. Even though a lot of these passwords, rather riskily, are shared, there's still a lot for people to remember, and more than a third said they forgot a password at least once a week.

GCHQ advises that sticking to the same passwords long-term is the safest bet - as long as those passwords are good ones. Don't, for example, pick '123456' or the like.

Don't use a pet's name, a favourite football team or similar, as these are often easily guessable from social media accounts.

And don't reuse passwords from one site to another. If your details are hacked, the first thing that the hackers will do is try your password on other sites, such as internet shopping or banking.

"You may think that leaked passwords alone aren't critical – however, about 50% of leaked passwords included an email attached to the account," says researcher Michal Salat of security firm Avast.

"We know that people use the same email and password combination on different accounts. So if a hacker knows your Ashley Madison password, they will also know your password for Facebook, Amazon, eBay, etc."

In fact, it's not that difficult to come up with a password that you can remember, but that nobody else could ever predict. One of the best options is to use a sentence you'll remember and take the first letter of each word: 'My favourite website is AOL Money', for example, would become MfwiAM'.

The ten most common passwords (source: Avast)
1. 123456
2. 123456789
3. password
4. 101
5. 12345678
6. 12345
7. Password1
8. qwerty
9. 1234
10. 111111

Hacker Gives Away Millions of Email Passwords for a few Compliments
Hacker Gives Away Millions of Email Passwords for a few Compliments



10 Photos
Victims of scams and fraud
See gallery


Advertisement