Skip to main content

How to make a strong password: Advice from GCHQ

Britain's electronic intelligence agency GCHQ has released new guidelines to help individuals and businesses choose strong passwords.

In a report issued in conjunction with the Centre for the Protection of National Infrastructure it suggests that the use of complex passwords is no longer required.

It advises using password managers but warns that, " any piece of security software, they are not impregnable and are an attractive target for attackers". It also recommends that businesses make life easier for their users by only applying passwords when they're really necessary and only insisting they're changed when there's evidence of compromise. It suggests using alternatives like hardware tokens or RFID badges too.

The report warns of the limitations of common user techniques such as substituting letters for numbers, and of machine generated passwords - principally that they're hard to remember. Instead it recommends using schemes that are more memorable such as combining four random dictionary words or adopting consonant-vowel-consonant constructions.

It also advises some common sense measures such as always changing default passwords on any new devices and never letting users share passwords. It suggests that administrator and remote user accounts be prioritised for stronger passwords.

Whilst much of the advice given is sensible, users may be forgiven for taking a negative view of security advice offered by GCHQ. The organisation has in the past pushed for the introduction of back doors in software and a weakening of encryption. Cynical commenters on the Guardian website suggest that the advice is to ensure passwords are compatible with the agency's latest cracking algorithm.

At the risk of adding your IP address to a secret government database, the full guide is available to download from the site.

Image Credit: Richard Peterson / Shutterstock