UK Spy Agency GCHQ Asks Users to Stop Resetting Passwords

Your password resets are really abrasive the British government. Can yous delight stick to one?

Stop resetting passwords, yous can't handle information technology - GCHQ

If you are tired of being forced to reset your password, at least the United kingdom's Government Communications Headquarters (GCHQ) is with you lot.

On a day dedicated to passwords, GCHQ'southward Information Security Arm posted a blog post repeating its advice against the almost common security practise of routinely irresolute passwords. "In 2022, nosotros explicitly advised against it. This article explains why we made this unexpected recommendation, and why we think information technology's the right style forrad, " a mail service past GCHQ'southward Communications-Electronics Security Group (CESG) notes. CESG has published a xvi-page document titled "Simplifying Your Approach" that explains to businesses how they tin can secure information without enervating users to reset their passwords. The UK government thinks that the public can't handle having too many passwords and would eventually forget them which "makes matters worse."

Wondering why you shouldn't be asked to reset your passwords? GCHQ believes that changing passwords actually puts users at more risk.

[...] chances are that the new password volition be similar to the old one.

Attackers can exploit this weakness.

It'due south ane of those counter-intuitive security scenarios; the more ofttimes users are forced to modify passwords, the greater the overall vulnerability to attack.

Changing passwords routinely is i of the first online security tips you get. From keeping complex passwords for cyberbanking accounts to never reusing the same passwords for every online service, most of our online security relies on the use of thoughtfully crafted passwords. Which is exactly why it is a bad thought, says GCHQ.

The problem is that this doesn't take into account the inconvenience to users - the 'usability costs' - of forcing users to oft change their passwords.

Britain'southward spy agency is not only worried about users being frustrated past repeated demands of password resets, it likewise seems to care for the businesses who have to reset passwords for users when they forget their newly created passwords.

New passwords are also more than likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.

This is the kind of advice that everyone wants to listen to. Forget about passwords. Create one and let it stay the same for the next decade. Since GCHQ says we tin can't manage "random" and "difficult to remember" passwords, how well-nigh nosotros employ the same countersign for every other online service and product? If nothing, it would certainly make the job of GCHQ easier.

On #WorldPasswordDay, delight consider irresolute your password to something other than "countersign" pic.twitter.com/N9WOR39sWa

— Zee (@growingupzee) May v, 2022