Complex passwords do little to reduce the risks of people being hacked by cyber-attackers, Britain’s security services have warned as they advised businesses to simplify their approach.
CESG, the Information Security arm of GCHQ, has said complicated passwords do not “frustrate attackers” but actually just make life “more complicated” for users of technology.
The advice suggests people who have been going out of their way to create more complicated passwords may be inadvertently leaving themselves more exposed.
“Password guidance – including previous CESG guidance – has encouraged system owners to adopt the approach that complex passwords are ‘stronger’,” the guidance reads.
“However, complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.
It went on: “This guidance … advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords.”
Cabinet ministers’ email hacked by Isil spies
The move is part of the government’s drive to ensure businesses are better protected from cyber-attacks amid increasing concern the country’s infrastructure is exposed.
David Cameron has prioritised cyber-security since taking office in 2010 in a drive that has seen British and American intelligence officials war-game potential attacks.
Mr Cameron pledged £1.1 billion to fight cyber terrorists last year in a bid to modernise the Armed Forces for the 21st century.
“Having a modern, technological, advanced and flexible Armed Forces to protect and advance these interests is not national vanity — it is national necessity,” he wrote at the time.
“Our national interest is served by Britain playing a role in the world. That is what we are doing today — whether working with forces in Nigeria or Somalia to close down terrorist threats at source, training up the security forces in Afghanistan, or sending Royal Navy warships to the Gulf to ensure vital trade routes remain open.
He added: “The threats we face have changed utterly in 30 years – from the clarity of the Cold War to the complex and shifting challenges of today: global terrorism, organised crime, hostage taking, the risk of nuclear proliferation, cyber attack, energy security.
“The enemy may be seen or unseen. So as the Strategic Defence and Security Review in 2010 made clear, it is not massed tanks on the European mainland we need, but the latest in cyber warfare.”
The idea security can be increased by simplifying password procedures will be welcomed by people across Britain who have become accustomed many different codes for different accounts.
Suggesting protection can be improved by simplifying password may raise eyebrows, but Raj Samani, a chief technology officer at Intel Security, explained the rationale.
By having complex passwords individuals would find methods to remember them and those mechanisms could lead to security vulnerability,” he told The Telegraph.
“What a lot of people will do is simply write that password down. We have lots of examples of computer hackers who will try to extract that information by manipulation.”
PayPal wants to implant passwords in your stomach and your brain
There have been a series of high profile embarrassments in recent years where passwords written down in offices have become public after being seen on live TV.
During a recent Super Bowl, one of America’s biggest sporting events, the credentials for the stadium’s wireless network were accidently displayed on television.
The WiFi code had been reserved for press and other services at the stadium but being soon was shared on social media, available for free to thousands of people attending the match.
In another incident, the passwords to the social media accounts of TV5 Monde, a French television channel, were accidently exposed when a reporter was interviewed during a broadcast. They had been written on sticky notes that were visible in the shot.