The UK Government’s contradictory advice: How frequently should you change your password? [UPDATED]

Cyber Essentials Logo
Cyber Essentials is a UK government scheme launched in 2104 and is designed to encourage organisations and businesses to adopt “best practice” in information security. It offers two levels of certification:

“Cyber Essentials” – where organisations self-assess their own systems and policies, and “Cyber Essentials Plus” – where an organization’s systems and policies are independently tested and scrutinized.

The Cyber Essentials scheme covers 5 key areas of security control:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

The self-assessment questionnaire comprises of 13 multiple choice questions covering these 5 key areas.

Now, whilst the “idea” behind Cyber Essentials is spot on; organisations really need to be thinking more seriously about cyber security – some of the information the scheme promotes is wrong, and actually contradicts advice given elsewhere by the UK government.

Let’s take a look at Question 9:

Cyber Essentials Question 9

It’s really a two-part question; the first part deals with the frequency of password changes, the second deals with password strength.

Firstly, strength – Yes, users should indeed be encouraged to use “strong” passwords (i.e. lengthy passwords containing upper & lower case letters, numbers, and symbols)

Secondly, frequency of password change – NO, users should NOT be encouraged to change their passwords frequently. Regular password changing harms rather than improves security!

However, answering “No” to Question 9 is seen as being a incorrect answer in the Cyber Essentials self-assessment scheme:

Cyber Essentials Self-Assessment Results

The advice given here in the UK Government’s Cyber Essentials scheme directly contradicts the UK Government’s official advice on passwords:

UK Government Official Password Advice

I have reached out to the UK Government for a response and an explanation as to their contradictory advice, and will update this blog post in due course, should a response be received.

In the meantime, remember that regularly changing your password for no other reason than it’s been x days/weeks/months since you last change it, has absolutely no benefit from a security perspective!

UPDATE – 24 April

The UK government’s National Technical Authority for Information Assurance (CESG) which advises organisations on how to protect their information and information systems against today’s threats last week published the following article on why you shouldn’t be regularly changing your passwords: Problems forcing regular password expiry

UPDATE – 26 April

Following on from the above updated guidance from the CESG, I’ve now had a response from the UK Government in relation to the contradictory advice presented in their “Cyber Essentials” scheme:
Obviously the [CESG] password guidance is more recent than the Cyber Essentials requirements, hence the difference in advice. But we’re looking to resolve this … And just to confirm the Cyber Essentials advice is to change *administrator* passwords regularly

Hopefully the Cyber Essentials scheme will quickly rectify their advice – there should be no arbitrary password changes regardless of whether a password belongs to a “user” or an “administrator” – neither should be changed unless there is a legitimate reason to do so. In fact, in many ways, it’s more important for “administrator” passwords NOT to be regularly arbitrarily changed without good reason!

UPDATE – 27 April

CESG have just reached out and tweeted:

0 0 votes
Article Rating
Notify of
1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments