It is unusual, to say the least, for me to find a part of the work of GCHQ that is not entirely obnoxious. However, their recently published password guidance seems rather reasonable, despite this dig from the Guardian
some will be sceptical about trusting the advice of the intelligence agency of a government which has pushed for backdoors within software and the weakening of encryption used to protect user data for surveillance purposes.
I am certainly no apologist for proposals to create broken encryption (cf: Why breaking encryption to stop terror is a monumentally shit idea), but the advice from the spooks seems fairly uncontroversial to me.
Here is the full report so you can make up your own mind on it.
The authors recommend using passphrases of several random words and using password management tools. Of course such tools may be an attack vector themselves, as the report observes:
… like any piece of security software, they are not impregnable and are an attractive target for attackers.
These attackers
presumably include GCHQ itself, given that they actively attack computer users on a regular basis both passively via bulk data collection and by using active attacks, for which read 'hacking'.
To skip back for a moment to passphrases, I am an advocate of using a selection of words rather than a complex random looking string for a password, Ross Anderson quotes Angela Sasse on passwords:
it’s hard to think of a worse authentication mechanism than passwords, given what we know about human memory: people can’t remember infrequently- used, frequently-changed, or many similar items; we can’t forget on demand; recall is harder than recognition; and non-meaningful words are more difficult.
At least using a series of words addresses one of these problems. XKCD, as so often, puts this best.
I am probably less concerned with users writing down passwords than are the report authors.
While government may be a subject of a targetted attack by folks who break in and look for passwords on post it notes near desks, my belief is that the overlap between people who break into offices and people who break into computers is small. A belief for which I have precious little evidence, I should note.
GCHQ probably knows something that the rest of us don’t as regards the prevalence of breaking into places to nick passwords — being involved in burglary, or rather surreptitious entry from time to time itself.
While the Guardian is right to be suspicious of advice from spooks, most of what is included in the report is what people in the security community have been saying for years.