UK’s cyber-security chief ridicules public guidelines for internet passwords as impossible even for spies to follow

Every British citizen is effectively being asked to memorise a 600-digit number every month, Ciaran Martin warns 

Joe Watts
Political Editor
Tuesday 14 February 2017 09:33
comments
The state has suffered 60 attacks per month in the first three months of the new National Cyber Security Centre’s operation
The state has suffered 60 attacks per month in the first three months of the new National Cyber Security Centre’s operation

The UK’s cyber security chief has ridiculed public guidelines on internet passwords, claiming they require average Britons to memorise the equivalent of a 600-digit number every month.

The head of GCHQ’s new National Cyber Security Centre, Ciaran Martin, said even his best spooks would not be able to remember all the different passwords current guidelines require.

He called for some new simpler advice to help people manage security, as the Queen was due to formally open his new centre, with Chancellor Philip Hammond also present to outline the threat to the UK from both criminals targeting the public and state actors attacking the Government.

Mr Martin said that last year the Government blocked 300 million attempts from criminals emailing members of the public, pretending to be HM Revenue and Customs in a bid to commit fraud.

Asked about the burden of current personal security guidelines, which require people to have a multitude of different passwords and to regularly change them, he said: “We’ve got to make it easier for people to operate safely.”

Speaking to BBC Radio 4’s Today programme, he went on: “We did some work where we worked out what we are asking the average British citizen to do in their personal and professional life, if they follow all the guidance on changing their password and how their password should be configured.

“We worked out, what we were asking every British citizen to do was to memorise a new 600-digit number every month, my best technical people can’t do that. None of my best people can do that.

“So we shouldn’t be telling other people to do that.”

He said people could use “password managers” to help them deal with the problem and potentially have a single strong password for things that matter most to apply better protections to a smaller number of things.

Mr Martin added: “What we need to do is help people make sensible, informed, evidence-based decisions about what protections are appropriate to them.”

He also explained that over the past two years there had been a significant increase in the threat in cyber-space from Russia against the West, focussed on critical infrastructure and on political and democratic systems, such as the allegations relating to the US and German elections.

While the same intense attacks had not yet taken place in the UK, he explained that the threat was real. The state had suffered 60 attacks per month in the first three months of the new National Cyber Security Centre’s operation.

DNI Chief describes current Russian cyber threat

In his speech today, Mr Hammond was set to call on businesses to play a greater role in helping protect the country from cyber-attacks.

The “Industry 100 initiative” will see 100 employees from the private sector be invited to temporarily transfer their work to the NCSC.

Mr Hammond believes the move will allow the Government to “draw on the best and the brightest in industry to test and challenge the Government’s thinking”.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments