Pasting passwords gets seal of approval from National Cyber Security Centre

Written by Rebecca Hill on 16 January 2017 in News
News

The pros of pasting passwords far outweigh the cons and organisations should stop preventing people from doing so, the National Cyber Security Centre.

Person hacking computer

Pasting passwords is not a security hazard, National Cyber Security Centre says - Photo credit: Pixabay

According to the centre, allowing users to paste their passwords into forms improves security, while efforts to stop it actually reduces security.

“We believe [stopping password pasting] is one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense,” a blogpost on the centre’s website said.


Related content

Password expiry is a ‘blunt instrument’ that rarely delivers, says cyber security expert
 Are we entering a 'cognitive era'?


It argued that the main benefit to allowing password pasting is that it allows people to use a password manager – software that chooses, stores and enters passwords automatically into online forms. This means users can have a number of different, more complex passwords for the sites they use without having to remember them.

However, if users can’t use a password manager they are more likely to fall back on other bad habits to make sure they can log into a range of websites, such as re-using the same password, choosing simple, easy to guess passwords, or writing them down somewhere that is easy to find.

The centre said that a number of the reasons used to justify stopping password pasting may be persuasive but are “misleading”.

For instance, it said, the idea that password pasting makes the password easier to forget is true in principle, but in practice people have to set up so many passwords they rarely get chance to practise each one anyway.

Meanwhile, the post said that the idea password pasting allows brute force attacks – where malicious software repeatedly guesses until it breaks the password – is true to some extent, but added that there were other ways to make guesses that are “just as easy for attackers to set up and are much faster at guessing”.

Addressing a third concern that password pasting leaves a copy of the password on the computer’s clipboard that could be stolen by malware, the centre advised that – rather than stopping password pasting – teams should “inoculate” their computers so they don’t get the malware in the first place.

The centre’s statement follows one published at the end of 2016 that challenged the received wisdom of having automatic password expiry, saying that it was a “blunt instrument” that actually made accounts more vulnerable.

“Password expiry might initially look like a quick and easy way of helping to manage the risks. However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead,” the centre said at the time.

Share this page

Tags

Comments

Craig Pelton (not verified)

Submitted on 16 January, 2017 - 14:37
Could you post a link back to the original article? It's always a pain to go search for it. https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords

Add new comment

Related Articles

HMRC tax return HMRC claims digital tax success as personal registration exceeds 7m target
17 February 2017

There were 7.4 million people using a digital personal tax account by the end of 2016 – 400,000 more than its initial target – according to HMRC’s quarterly performance figures.

GCHQ National Cyber Security Centre: ‘Entirely possible to build secure tech in an agile way’
15 February 2017

The UK’s National Cyber Security Centre has revealed how it built its new IT systems using an agile approach, saying that waterfall “was never going to bring this job in on time”.

scientists, user, science, data, analytics HMRC seeks “visionary” data exploitation director as part of big data plans
14 February 2017

HMRC is advertising for a director to lead its data strategy and help personalise customers’ interactions with services, as the tax authority reveals more details of its behavioural insights work...

Justice scales and books Government to trial online conviction for fare evasion as part of digital justice reforms
13 February 2017

The Ministry of Justice is pushing ahead with plans that will allow people to plead guilty online and immediately pay a standard fine for certain offences.