[OWASP-Philadelphia] GCHQ Password Guidance

Justin Klein Keane justin at madirish.net
Fri Sep 18 16:27:46 UTC 2015

Hello all,

   I'm sure everyone on this list deals with passwords quite regularly 
and so I thought it might be useful to pass along a link to a recent 
publication from GCHQ (the British intelligence agency) concerning 
passwords.  There are a number of extremely good pieces of advice 
throughout the 13 page document that are not only applicable, but come 
from a very reputable source so might be useful in influencing 
organizational security policy or bolstering recommendations you may be 
making as part of security evaluations.

   My favorite recommendation supports a point I've been trying to make 
for years - namely that forcing users to choose new passwords every 30, 
60, or 90 days actually hurts, rather than helps, your security posture:

"Regular password changing harms rather than improves security, so avoid 
placing this burden on users.  However, users must change their 
passwords on indication or suspicion of compromise"




Justin C. Klein Keane

More information about the OWASP-Philadelphia mailing list