Theft of two million web passwords reveals 'extremely poor' choices made by users

You might have heard the long-standing security recommendation that you should change your password for the umpteenth time every few months, if you want to stay safe online. But the UK government, on World Password Day – observed on 5 May – repeated its advice against the routine practice saying that it actually does more harm than good.

"In 2015, we explicitly advised against it [changing passwords]," British intelligence and security organisation GCHQ's Communications-Electronics Security Group (CESG) wrote in a recent post. "This article explains why we made this (for many) unexpected recommendation, and why we think it's the right way forward.

According to CESG's 16-page document called Simplifying Your Approach, forcing users to change their password every few months is often counter intuitive.

"The problem is that this doesn't take into account the inconvenience to users – the 'usability costs' – of forcing users to frequently change their passwords," said CESG.

While most password policies ask users to create and use passwords as long and "random" as possible, we often find them hard to remember over the course of our lives in the digital realm. "While we can manage this for a handful of passwords, we can't do this for the dozens of passwords we now use in our online lives," CESG stressed.

When asked to change our passwords on a semi-regular basis, we often go through the motions and end up with a bad password, such as one that is similar to the old password or re-use one that has been used across different domains. We are also more likely to write the new password down, which could pose a risk of it being misused.

These new passwords are also more likely to be forgotten and force service desks to reset them, which in turn eats up valuable time and resources.

Instead, they recommend that organisations do not force regular password expiry and opt for system monitoring tools that can detect and prevent unauthorised account use instead.

They suggest that a tool that shows users the last time they logged in, so they can see if they're responsible for any failed login attempts. If they aren't, it could be a red flag that someone has attempted to access their account and users can simply report it for investigation.

"Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user," CESG explained.