Charlie Harvey

Is GCHQ password advice dodgy?

It is unusual, to say the least, for me to find a part of the work of GCHQ that is not entirely obnoxious. However, their recently published password guidance seems rather reasonable, despite this dig from the Guardian

some will be sceptical about trusting the advice of the intelligence agency of a government which has pushed for backdoors within software and the weakening of encryption used to protect user data for surveillance purposes.

gchq doughnut. how appropriate for cops

I am certainly no apologist for proposals to create broken encryption (cf: Why breaking encryption to stop terror is a monumentally shit idea), but the advice from the spooks seems fairly uncontroversial to me.

Here is the full report so you can make up your own mind on it.

The authors recommend using passphrases of several random words and using password management tools. Of course such tools may be an attack vector themselves, as the report observes:

… like any piece of security software, they are not impregnable and are an attractive target for attackers.

These attackers presumably include GCHQ itself, given that they actively attack computer users on a regular basis both passively via bulk data collection and by using active attacks, for which read 'hacking'.

To skip back for a moment to passphrases, I am an advocate of using a selection of words rather than a complex random looking string for a password, Ross Anderson quotes Angela Sasse on passwords:

it’s hard to think of a worse authentication mechanism than passwords, given what we know about human memory: people can’t remember infrequently- used, frequently-changed, or many similar items; we can’t forget on demand; recall is harder than recognition; and non-meaningful words are more difficult.

At least using a series of words addresses one of these problems. XKCD, as so often, puts this best.

correct horse battery staple

I am probably less concerned with users writing down passwords than are the report authors.

While government may be a subject of a targetted attack by folks who break in and look for passwords on post it notes near desks, my belief is that the overlap between people who break into offices and people who break into computers is small. A belief for which I have precious little evidence, I should note.

GCHQ probably knows something that the rest of us don’t as regards the prevalence of breaking into places to nick passwords — being involved in burglary, or rather surreptitious entry from time to time itself.

While the Guardian is right to be suspicious of advice from spooks, most of what is included in the report is what people in the security community have been saying for years.


  • Be respectful. You may want to read the comment guidelines before posting.
  • You can use Markdown syntax to format your comments. You can only use level 5 and 6 headings.
  • You can add class="your language" to code blocks to help highlight.js highlight them correctly.

Privacy note: This form will forward your IP address, user agent and referrer to the Akismet, StopForumSpam and Botscout spam filtering services. I don’t log these details. Those services will. I do log everything you type into the form. Full privacy statement.