GCHQ’s advice on password security is rather good, and it’s especially helpful to have a source such as GCHQ point out how little extra security is provided by IT rules about passwords having to comprise at least 12* characters, one of which must be a number, two of which must be characters that did not exist on keyboards before 1973 and three of which must be vowels that did not feature in the penultimate round of the highest-ever scoring episode of Countdown.**
As GCHQ’s Ciaran Martin pointed out last year:
We did some work where we worked out what we are asking the average British citizen to do in their personal and professional life, if they follow all the guidance on changing their password and how their password should be configured.
We worked out, what we were asking every British citizen to do was to memorise a new 600-digit number every month, my best technical people can’t do that. None of my best people can do that.
So we shouldn’t be telling other people to do that.
Part of the answer to that is using password manager software to manage your other passwords. Part is to use two-factor authentication. The other part is choosing passwords, and rules about passwords, wisely.
GCHQ’s motivation may be mainly about making life harder for Chinese hackers and the like, but its advice is just as relevant for political campaigners looking to avoid embarrassment or worse with their own systems:
Password guidance – including previous CESG guidance – has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’.
Worse still, the rules – even if followed – don’t necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk [aka writing them on post-it notes]…
Enforcing the requirement for complex character sets in passwords is not recommended.
Xkcd has the answer to how to have a sensible and yet secure password:
* Weirdly, minimum password lengths are almost always an even number.
** Which is an excuse to mention this amazing numbers round: