"This proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users,"
GCHQ writes in the document, published in conjunction with the UK Center for Protection of National Infrastructure [CESG], a government agency which advises the UK's public sector organizations.
"Inevitably, users will devise their own coping mechanisms to cope with 'password overload.' This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies."
In an about-face from its previous guidance that encouraged system owners to add complexity in order to make passwords 'stronger,' the agency writes that "the abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to 'stay secure.'"
"An important way to minimize the password burden is to only implement passwords when they are really needed," states the report, which goes on to offer a series of recommendations for the management of internet safety.
Rather than enforcing requirements for users to come up with complex character sets, it is more prudent to use technical controls such as account lockouts or throttling to defend against automated guessing attacks, says GCHQ.
"Account lockout is simpler to implement than throttling, but can have a detrimental impact on the user experience," the report cautions, and advises giving the user ten attempts to type the right password before the account is locked, which "gives a good balance between security and usability."
GCHQ and CESG also recommended that organizations provide their employees with appropriate facilities to store recorded passwords, and cited a recent survey which reported that UK citizens each had an average of 22 online passwords, far more than most people can easily remember.
Despite that statistic, GCHQ has concentrated its efforts on improving security in the UK's national infrastructure organizations, rather than among the general public; in June it was reported that GCHQ and the US spy agency NSA had reverse engineered security and anti-virus software in order to obtain information about vulnerabilities in security software, and intelligence about its users.