Don't change your passwords too often, UK intelligence says

© Kacper Pempel
Security experts are often advising computer users to change their passwords to safeguard against hacking. However, the UK’s intelligence agency is advising the public to do exactly the opposite, as new passwords are likely to be forgotten or written down.

UK intelligence and the Communications-Electronics Security Group (CESG), which is part of the security organization GCHQ, has advised those using a computer to ignore previous advice every couple of months.

“The problem is that this doesn’t take into account the inconvenience to users - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember,” CESG said on its website.

If a person is constantly changing their password, the chances are that it will be written down because of the difficulty in remembering it. However, this makes an account vulnerable to being unlawfully entered should the password fall into the wrong hands. 

“It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis,” CESG stated.

One of the problems CESG says with changing a password at regular intervals is due to the fact that the public become complacent about the new password they pick. This can be something similar to their old password or one that has been used for another account. 

Speaking in April 2015, former National Security Agency contractor turned whistleblower Edward Snowden recommended using “passphrases” instead of passwords as he said it takes a computer less than a second to crack any eight-character password.

“The best advice here is to shift your thinking from passWORDs to passPHRASES,” Snowden recommended. “Think about a common phrase that works for you. It’s too long to brute force and also make them unlikely to be in the dictionary.”