GCHQ wants you to use simpler passwords

I read this weekend the somewhat ironic news that GCHQ – the eponymous home of snooping – is suggesting that we may wish to make our online passwords a bit easier.

Enter stage left: conspiracy theorists.

But does this advice make sense, or is it a thinly-veneered attempt to make electronic eavesdropping that bit easier?  Now I accept that a tendency for paranoia doesn’t mean people AREN’T talking about you behind your back; but I do agree that this is good advice from those whose business it is to circumnavigate encryption and security measures.

GCHQ have released a report entitled ‘Password Guidance’ in which they argue that “by simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage”.

It transpires that the demands of many applications and websites that you use capital letters, special characters, numbers; and their restrictions on using dates of birth, pets’ names, inside leg measurements, using the same letter twice, using anything credited as a valid word in Scrabble, the Roman alphabet and anything you stand a cat in hell’s chance of remembering…simply do not cause any frustrations for the hacker or make it any more secure!

At last we can free ourselves from the shackles of impossible to create and remember passwords – we can be liberated from memorising which of the 22 different passwords (according to the GCHQ report) we set for which account.  Or at least we can when developers and employers heed this advice.

GCHQ suggest we could use 4 random words strung together in a xxxx-xxxx-xxxx-xxxx format.  You will have to remember these random words of course.

An approach I adopted some years back was to define a song, poem or book that I could associate with the system I had to create a password for, and use characters based upon it. Let me give you an example:

You need to create a password for a government-run website portal, and associate this with the oft-berated public school boys who are charged with running our country.  Perhaps ‘Eton Rifles’ by The Jam springs to mind?

In this case, your password could become 3tonr1fl3s (noting the substitution of letters for numbers – or you may decide to substitute the ‘1’ for a ‘!’)

Alternatively, you could choose the first line of the song, or a memorable line from it.  The opening line to this ‘track’ (sorry – I’m not down with the kids enough to know whether that’s the up-to-date vernacular) is ‘Sup up your beer and collect your fags’.  In this instance your password could become ‘suyb@cyf’ (again substituting the ‘a’ for ‘@’).

Should an application insist on numbers (despite this advice from GCHQ) then you can simply add 4 or 6 memorable numbers at the end or the beginning.  This won’t make the password any more/less secure – but it may just stop you throwing an expensive computer out of the window.

What tips do you have for creating and memorising passwords?  Why not let everyone else know in the comments section below (without granting access to your bank account of course).

Get the latest Furious Blogs delivered straight to your inbox for free once a month – simply enter your email address here.


I read the article about passwords on the Lincolnite site but without a Facebook or Twitter account I was unable to comment.

I would like to point out that using common phrases doesn’t ensure a password is good. A lot of password cracking dictionaries contain common phrases and hackers are well aware of the suggestion of changing a to @ etc http://lifehacker.com/5893510/using-common-phrases-makes-your-passphrase-password-useless-heres-how-to-pick-a-better-phrase. It’s also worth noting that the “correcthorsebatterystaple” used as an example of a good password was found in the recent Ashley Madison data leak.

While experts are divided on the the use of Password Managers it would probably be worth suggesting their use.


the furious engineer Author September 16, 2015

Hi ‘Typical’ (sorry I don’t know your name). That’s great advice – thank you for taking the time to comment. It’s an interesting point that you raise – as other comments on The Lincolnite’s site suggest that ‘algorithms’ used to randomly assign the correct code (by quickly running through all possible permutations (forgive the vague terminology!)) would struggle at say a 16-digit password and ‘move on’. What is your take on the ‘perfect password’?



The idea that passwords are guessed by the computer trying all possible combinations of a 16 character password is not how password crackers work. This article talks through the process of cracking passwords http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/.

There are things I would avoid and the more random you can make it the better (bearing in mind it may need to be memorable) the usual techniques of replacing a with @ are almost useless now (see how easy it is to set up rules for these things in the article above). As the previous link I posted (and it was also linked to on Lincolnite) suggests use a random selection of words and throw in some extra randomness if possible.

It’s good to see this discussed as often as possible as I suspect (well it’s probably proven now given the examples of password cracked from the Ashley Madison leak) most people don’t care. Probably more boring than net neutrality 🙂


the furious engineer Author September 16, 2015

Now THAT makes more sense of the GCHQ report – thanks, Ray. I even understood some of it 😉

…and not boring at all. A common theme seems to be that the ‘soft fleshy interface’ may be the common denominator too!


Leave a Reply

Your email address will not be published. Required fields are marked *