UK Financial Service Security Advice Contradicts Official Government Policy

I compile a list of eclectic, vaguely work-related articles for sharing each week at work. During the course of the week, some common themes often come out. This week it seems to be around the subject of password security.

I work within the UK financial Services industry. Companies that operate in the industry are duty-bound to adhere to the security advice of its regulator, the Financial Conduct Authority (the FCA). The FCA issues guidelines on data security, which quote a document written by its predecessor agency, the FSA, which was abolished in April 2013.

Fast-forward to section 3.4.3 – passwords and user accounts on page 47, and we see this:

A major bank allowed passwords that were only six characters long and did not need to contain a mix of upper and lower case letters, numbers or keyboard symbols. This is significantly below recommended standards on password strength. Get Safe Online – a government-backed campaign group –recommends that passwords should be a combination of letters, numbers and keyboard symbols; at least seven characters long; contain a mix of upper and lower case letters, numbers and keyboard symbols; and be changed regularly.

The key point here is around the highlighted ‘and be changed regularly’

The ‘Get Safe Online’ site contains the password advice seemingly adopted by the FSA and latterly FCA. The ‘Government-backing’ for this agency was secured in October 2012. This is practically a lifetime when considering  the advancement of the IT and Security industry:

However, when we examine the official UK government advice around password security, it flatly contradicts this. The following link shows security recommendations from GCHQ’s National Cyber Security Centre (NCSC):

The section labelled ‘Changing Passwords’ contains a quite striking quote:

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. 

Moreover, another official paper by the same agency states covers specific policy around forcing password expiry

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The NCSC now recommend organisations do not force regular password expiry.

Let’s just take a moment to contemplate this. The FCA, which governs aspects of Financial Conduct and is, very concerned about risk within the UK Financial Services industry recommends security advice that is

  • Half-a-decade out of date
  • Utterly debunked
  • At odds with the agency charged with cyber-security recommendations

Moreover, the poor advice doesn’t just stem from password ageing. It’s now recognised that passwords with letters of differing case, numbers and symbols are hard to remember and actually not all that difficult to crack. Check out the following few articles:

Password guru regrets past advice

Password Rules are Bull****

And, of course, there’s always an XKCD for that:

Password Strength

Friday Reads – 18th December 2015 – #14

Ho ho ho, and all that.

It’s the last Friday reads of 2015. I’ve resisted the temptation to Christmasify this, so here’s a bog-standard list of reads.

Happy Christmas and new year.

An Engineer Explains Why You Should Always Order the Larger Pizza

Do you know how hard it is to organise pizzas for group of people at a meeting? ‘Very’, is the answer I found out this week.  Whilst it sounds a bit like stating the obvious, there’s some sound reasoning here:

90:9:1 – the odd ratio that technology keeps creating

Something to rival Moore’s Law?

Avoiding The Politics of Code Review

There’s been a quite a code-review theme of late to these posts. It continues here with some patterns and anti-patters regarding office politics and pitfalls involved in getting a process in place.

Web Scraping in C#

I’ve used HTMLAgilityPack in the past with various degrees of annoyance. But this now seems to have gone dead, and hasn’t been updated for since September 2014. AgileSharp seems to be current and do so much more.

Microsoft Edge’s JavaScript engine to go open-source

Continuing with Microsoft’s impressive drive towards open source.

The Rules Of Attraction

I’ve posted in the past about company culture, recruitment and attracting talent. This continues in the same vein. A though-provoking read.




A whole coders life:

When you’ve been keeping a project running by the skin of your teeth:

Friday Reads – 11th December 2015 – #13

The Most Important Code Metrics You’ve Never Heard Of

Actually, you’ve probably heard of some of them. I’d be interested to understand how they measure them, though.

Can you solve GCHQ’s Christmas card puzzle?

People not processes – a personal lament

The author did not mention it, but the title is a key part of the Agile manifesto

Unit Tests are Your Specification

A critique of a unit test suite. Well worth reading if you’re regularly reviewing code that includes unit tests.


Wiki Patterns

What are the good and bad behaviours that are often observed when running a wiki within an organisation?

Do Interfaces Terminate Dependencies?

Great discussion on the possibly-misguided notion that substituting an interface in place of a concrete class automatically removes that dependency.

New Language Support in Visual Studio 2015

The latest update to Visual Studio includes syntax highlighting and the beginnings of IntelliSense for over a dozen new languages.

Given the Java IDE wars that have been raging for a decade, Is VS looking to challenge the remaining warriors (Eclipse, Netbeans & IntelliJ)?

And for the Java aficionados, here’s the latest twist in that war!

Bitcoin’s Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius

I’m a great believer in the future of bitcoin, or a bitcoin-like model. Up until now it’s creator has been largely anonymous. Looks like he’s been outed now, though.



This language sucks:

Drop all SQL Database Connections

I must have run this a dozen times in the last few days. Dead useful, which is why I’m posting it. Mostly for my own reference

USE master

DECLARE @kill varchar(8000) = '';
SELECT @kill = @kill + 'kill ' + CONVERT(varchar(5), spid) + ';'
FROM master..sysprocesses 
WHERE dbid = db_id('MyDatabaseName')


Friday Reads – 27th November 2015 – #12

Code Coverage is a Useless Target Measure

You can have 100% code coverage and no asserts. Code coverage is still very useful for a measure of paths tested, just not very good for setting is as a target.

Test-Driven Development Is Stupid

Focusses on the lunacy of writing ALL your test cases first, rather than the Red-Green-Refactor pattern.

What Do Programmers Want?

Pretty much says it all.

3 Reasons Why Daily Scrums Take So Much Time

I remember working on a project with 45 minute scrums daily! Fortunately, these are banished to the distant past.

The Day Google Deleted Me

A small warning: some colourful language in this one. Pretty funny, though.


After a chance discussion with a colleague, I thought I’d share this. It’s an older article from 2013, but documents  why the creator of MySQL decided to fork it to create a MariaDB.

DB-Engines Ranking

Despite the sentiment of its original creator (see above article) the popularity of MySQL (now Oracle-owned) remains in rude health.


The New Framework:

Arbitrary Goals: