UK Financial Service Security Advice Contradicts Official Government Policy

I compile a list of eclectic, vaguely work-related articles for sharing each week at work. During the course of the week, some common themes often come out. This week it seems to be around the subject of password security.

I work within the UK financial Services industry. Companies that operate in the industry are duty-bound to adhere to the security advice of its regulator, the Financial Conduct Authority (the FCA). The FCA issues guidelines on data security, which quote a document written by its predecessor agency, the FSA, which was abolished in April 2013.

Fast-forward to section 3.4.3 – passwords and user accounts on page 47, and we see this:

A major bank allowed passwords that were only six characters long and did not need to contain a mix of upper and lower case letters, numbers or keyboard symbols. This is significantly below recommended standards on password strength. Get Safe Online – a government-backed campaign group –recommends that passwords should be a combination of letters, numbers and keyboard symbols; at least seven characters long; contain a mix of upper and lower case letters, numbers and keyboard symbols; and be changed regularly.

The key point here is around the highlighted ‘and be changed regularly’

The ‘Get Safe Online’ site contains the password advice seemingly adopted by the FSA and latterly FCA. The ‘Government-backing’ for this agency was secured in October 2012. This is practically a lifetime when considering  the advancement of the IT and Security industry: https://www.gov.uk/government/news/get-safe-online-week

However, when we examine the official UK government advice around password security, it flatly contradicts this. The following link shows security recommendations from GCHQ’s National Cyber Security Centre (NCSC):

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The section labelled ‘Changing Passwords’ contains a quite striking quote:

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. 

Moreover, another official paper by the same agency states covers specific policy around forcing password expiry

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The NCSC now recommend organisations do not force regular password expiry.

Let’s just take a moment to contemplate this. The FCA, which governs aspects of Financial Conduct and is, very concerned about risk within the UK Financial Services industry recommends security advice that is

  • Half-a-decade out of date
  • Utterly debunked
  • At odds with the agency charged with cyber-security recommendations

Moreover, the poor advice doesn’t just stem from password ageing. It’s now recognised that passwords with letters of differing case, numbers and symbols are hard to remember and actually not all that difficult to crack. Check out the following few articles:

Password guru regrets past advice

http://www.bbc.co.uk/news/technology-40875534

Password Rules are Bull****

https://blog.codinghorror.com/password-rules-are-bullshit/

And, of course, there’s always an XKCD for that:

Password Strength

Leave a Reply