Securing Information
Strengthening Business

Passwords? It’s enough to give you a headache

Passwords? It’s enough to give you a headache

Life was so much easier when all we had to remember was a 4 figure PIN to get money from the cashpoint machine. Nowadays we need passwords for almost everything we do online and most people have many accounts and registrations that require passwords, which we are meant to remember – it’s enough to give you a headache.

We are told by every budding security geek that our passwords need to be strong or complex, that they should be at least so many characters long, that we shouldn’t re-use them, that we shouldn’t write them down, that we should change them regularly, that we should… STOP – rewind that last bit… We are now being told we don’t have to change passwords regularly – HOORAH!

CESG’s updated guidance on passwords

This revelation was included in new guidance on passwords published by CESG in 2015 ” Password Guidance: Simplifying Your Approach “, although it does point out that ‘It is not intended to protect high value individuals using public services‘.

There was a lot of good guidance in the document as you would expect. The main eyebrow raiser was the change in thinking regarding forcing users to regularly change their passwords. CESG is now recommending that organisations do not force regular password expiry. This was unexpected and CESG recently decided to explain their thinking further .

A summary of the main reasons are:

  • new chosen passwords will be very similar to the old one, so attackers can often work out the new password, if they have the old one;
  • new chosen passwords will often be weaker than the old one, because it’s easier for the user to remember;
  • the new password may be one that has been used for something else;
  • a new password will probably be written down;
  • a new password is more easily forgotten.

CESG is calling for improved password policiesthat place fewer demandson users. They put more onus on administrators to help lessen the burden on users and recommend the use of system monitoring tools to do this.

If this guidance is followed, from a user perspective, whilst they may not have to change account passwords as often as they used to, they will have to pay more attention when logging in so that they can check that there have been no unknown events such as failed login attempts or that the last recorded login was actually theirs. They will also need to have a quick and easy way for reporting any suspected issues.

Think it won’t happen to you?

If you think your passwords are safe – or that other people’s password misfortune won’t happen to you – you could be in for a nasty surprise.

This infographic from CESG is featured in their password guidance. We think it shows just how easy it is to have your password stolen – so we’ve included it in this article. Cyber criminals use a number of password hacking techniques, some sophisticated – some just plain guesswork.

How passwords are discovered














Crown Copyright 2015

In conclusion

CESG’s recent guidance is definitely a positive step in the right direction for the user although arguably a very small one. Unfortunately we still have to remember the same number of difficult to remember passwords, so not much has changed in reality. The demise of the password was predicted some time ago but it doesn’t look like the headache is going away anytime soon.

If you haven’t had enough of passwords and want some other ideas on how to create ones that are strong and memorable, please see these articles from the Ascentor blog:

How to Create Strong, Memorable Passwords that are Difficult to Crack

How to Create Strong, Memorable Passwords that are REALLY Difficult to Crack

Now, pass me the Aspirin!

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.


Office: 01452 881712


Other posts you might like

An ounce of prevention could be worth a ton of cyber attack cure

Ransomware – Back up or Pay up

Ten Top Tips for writing Information Risk Appetite Statements

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals. Big enough to be of interest in terms of data held and yet often small enough not

Cyber security myths home workers fall for

From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.