[OWASP-Philadelphia] GCHQ Password Guidance

Justin Klein Keane justin at madirish.net
Fri Sep 18 16:27:46 UTC 2015


Hello all,

   I'm sure everyone on this list deals with passwords quite regularly 
and so I thought it might be useful to pass along a link to a recent 
publication from GCHQ (the British intelligence agency) concerning 
passwords.  There are a number of extremely good pieces of advice 
throughout the 13 page document that are not only applicable, but come 
from a very reputable source so might be useful in influencing 
organizational security policy or bolstering recommendations you may be 
making as part of security evaluations.

   My favorite recommendation supports a point I've been trying to make 
for years - namely that forcing users to choose new passwords every 30, 
60, or 90 days actually hurts, rather than helps, your security posture:

"Regular password changing harms rather than improves security, so avoid 
placing this burden on users.  However, users must change their 
passwords on indication or suspicion of compromise"

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf


Cheers,

-- 

Justin C. Klein Keane
http://www.MadIrish.net


More information about the OWASP-Philadelphia mailing list