UK’s Spy Agency Wants Users to Stop Resetting Their Passwords – No Joke


Your password resets are really annoying the British government. Can you please stick to one?

Stop resetting passwords, you can't handle it - GCHQ

If you are tired of being forced to reset your password, at least the UK's Government Communications Headquarters (GCHQ) is with you.

On a day dedicated to passwords, GCHQ's Information Security Arm posted a blog post repeating its advice against the most common security practice of routinely changing passwords. "In 2015, we explicitly advised against it. This article explains why we made this unexpected recommendation, and why we think it’s the right way forward, " a post by GCHQ's Communications-Electronics Security Group (CESG) notes. CESG has published a 16-page document titled "Simplifying Your Approach" that explains to businesses how they can secure information without demanding users to reset their passwords. The UK government thinks that the public can't handle having too many passwords and would eventually forget them which "makes matters worse."

Wondering why you shouldn't be asked to reset your passwords? GCHQ believes that changing passwords actually puts users at more risk.

[...] chances are that the new password will be similar to the old one.

Attackers can exploit this weakness.

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack.

Changing passwords routinely is one of the first online security tips you get. From keeping complex passwords for banking accounts to never reusing the same passwords for every online service, most of our online security relies on the use of thoughtfully crafted passwords. Which is exactly why it is a bad idea, says GCHQ.

The problem is that this doesn’t take into account the inconvenience to users  - the ‘usability costs’ - of forcing users to frequently change their passwords.

Britain's spy agency is not only worried about users being frustrated by repeated demands of password resets, it also seems to care for the businesses who have to reset passwords for users when they forget their newly created passwords.

New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.

This is the kind of advice that everyone wants to listen to. Forget about passwords. Create one and let it stay the same for the next decade. Since GCHQ says we can't manage "random" and "hard to remember" passwords, how about we use the same password for every other online service and product? If nothing, it would certainly make the job of GCHQ easier.