Password Tips from the UK’s NSA

The UK’s SIGINT group, GCHQ, published this well-written set of password tips.  It’s longer than your typical list of dos and don’ts.  In fact, I like that it sets out some guidance on things that we may experience because they’ve always been done that way:

  • skip the 30/60/90 day periodic password changes.  It ” imposes burdens on the user(who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.”  I’d be glad just not to have to change it on January 2d.
  • risk of using password meters to check strength.  “They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information, and repeating characters or common character strings).”

Good stuff for any end user but also for lawyers to understand about what their system administrators and technical staff should be doing in managing the law firm’s servers and network:  no plain text, salting and hashing, changing defaults, creating an environment where weak passwords can’t be used.

Originally posted on LinkedIn