GCHQ’s new advice on password security is rather good, and it’s especially helpful to have a source such as GCHQ point out how little extra security is provided by IT rules about passwords having to comprise at least 12 characters, one of which must be a number, two of which must be characters that did not exist on keyboards before 1973 and three of which must be vowels that did not feature in the penultimate round of the highest-ever scoring episode of Countdown.
GCHQ’s motivation may be mainly about making life harder for Chinese hackers and the like, but its advice is just as relevant for political campaigners looking to avoid embarrassment or worse with their own systems:
Password guidance – including previous CESG guidance – has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’.
Worse still, the rules – even if followed – don’t necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk [aka writing them on post-it notes]…
Enforcing the requirement for complex character sets in passwords is not recommended.
Xkcd has the answer to how to have a sensible and yet secure password: