UK Financial Service Security Advice Contradicts Official Government Policy

I compile a list of eclectic, vaguely work-related articles for sharing each week at work. During the course of the week, some common themes often come out. This week it seems to be around the subject of password security.

I work within the UK financial Services industry. Companies that operate in the industry are duty-bound to adhere to the security advice of its regulator, the Financial Conduct Authority (the FCA). The FCA issues guidelines on data security, which quote a document written by its predecessor agency, the FSA, which was abolished in April 2013.

Fast-forward to section 3.4.3 – passwords and user accounts on page 47, and we see this:

A major bank allowed passwords that were only six characters long and did not need to contain a mix of upper and lower case letters, numbers or keyboard symbols. This is significantly below recommended standards on password strength. Get Safe Online – a government-backed campaign group –recommends that passwords should be a combination of letters, numbers and keyboard symbols; at least seven characters long; contain a mix of upper and lower case letters, numbers and keyboard symbols; and be changed regularly.

The key point here is around the highlighted ‘and be changed regularly’

The ‘Get Safe Online’ site contains the password advice seemingly adopted by the FSA and latterly FCA. The ‘Government-backing’ for this agency was secured in October 2012. This is practically a lifetime when considering  the advancement of the IT and Security industry: https://www.gov.uk/government/news/get-safe-online-week

However, when we examine the official UK government advice around password security, it flatly contradicts this. The following link shows security recommendations from GCHQ’s National Cyber Security Centre (NCSC):

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The section labelled ‘Changing Passwords’ contains a quite striking quote:

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. 

Moreover, another official paper by the same agency states covers specific policy around forcing password expiry

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The NCSC now recommend organisations do not force regular password expiry.

Let’s just take a moment to contemplate this. The FCA, which governs aspects of Financial Conduct and is, very concerned about risk within the UK Financial Services industry recommends security advice that is

  • Half-a-decade out of date
  • Utterly debunked
  • At odds with the agency charged with cyber-security recommendations

Moreover, the poor advice doesn’t just stem from password ageing. It’s now recognised that passwords with letters of differing case, numbers and symbols are hard to remember and actually not all that difficult to crack. Check out the following few articles:

Password guru regrets past advice

http://www.bbc.co.uk/news/technology-40875534

Password Rules are Bull****

https://blog.codinghorror.com/password-rules-are-bullshit/

And, of course, there’s always an XKCD for that:

Password Strength

Friday Reads – 18th December 2015 – #14

Ho ho ho, and all that.

It’s the last Friday reads of 2015. I’ve resisted the temptation to Christmasify this, so here’s a bog-standard list of reads.

Happy Christmas and new year.

An Engineer Explains Why You Should Always Order the Larger Pizza

Do you know how hard it is to organise pizzas for group of people at a meeting? ‘Very’, is the answer I found out this week.  Whilst it sounds a bit like stating the obvious, there’s some sound reasoning here:

http://www.lifehacker.co.uk/2014/02/28/engineer-explains-always-order-larger-pizza

90:9:1 – the odd ratio that technology keeps creating

Something to rival Moore’s Law?

http://www.theguardian.com/technology/2015/dec/12/ratio-technology-mozilla-firefox-os-90-9-1

Avoiding The Politics of Code Review

There’s been a quite a code-review theme of late to these posts. It continues here with some patterns and anti-patters regarding office politics and pitfalls involved in getting a process in place.

http://www.daedtech.com/avoiding-the-politics-of-code-review

Web Scraping in C#

I’ve used HTMLAgilityPack in the past with various degrees of annoyance. But this now seems to have gone dead, and hasn’t been updated for since September 2014. AgileSharp seems to be current and do so much more.

http://blogs.msdn.com/b/cdndevs/archive/2015/12/17/web-scraping-in-c.aspx

Microsoft Edge’s JavaScript engine to go open-source

Continuing with Microsoft’s impressive drive towards open source.

https://blogs.windows.com/msedgedev/2015/12/05/open-source-chakra-core/

The Rules Of Attraction

I’ve posted in the past about company culture, recruitment and attracting talent. This continues in the same vein. A though-provoking read.

Language: http://blog.ploeh.dk/2015/12/03/the-rules-of-attraction-language/

Location: http://blog.ploeh.dk/2015/12/04/the-rules-of-attraction-location/

Comics

A whole coders life: http://www.commitstrip.com/en/2015/12/11/a-whole-coders-life/

When you’ve been keeping a project running by the skin of your teeth: http://www.commitstrip.com/en/2015/12/16/when-youve-been-keeping-a-project-running-by-the-skin-of-your-teeth/