The Australian Signals Directorate has released new standards for passwords used at federal government agencies.
The ASD said its new guidance is “based on the ability of systems to protect themselves against legitimate real-world attack scenarios while balancing both security and usability requirements”.
The agency recommends the use of two-factor authentication and notes the recommendation by the US National Institute of Standards and Technology that accounts secured with 2FA have passwords of at least eight characters (if chosen by a user) or six if passwords are randomly generated.
If 2FA isn’t possible, passwords should have at least 13 characters, the ASD recommends.
“A number of randomly chosen dictionary words would satisfy this requirement,” the new guidelines state.
“Alternatively, if a system owner prefers a shorter passphrase policy, at least 10 characters with complexity (i.e. involving at least three different character sets) could be used.”
“When using passphrases as the sole method of authentication, ASD encourages the use of longer passphrases without complexity as they are often much easier for users to remember yet provide the same, or greater, level of protection as shorter passphrases with complexity,” the document states.
“ASD also encourages system owners to consider whether passphrases need to expire or not for different account types.”
The new guidance is available online.
Earlier this year the agency released its new ‘Essential Eight’ strategies to mitigate cyber security incidents, building on its Top 4 mitigation strategies.
The eight strategies are application whitelisting, patching of applications, limiting Microsoft Office macros, user application hardening, the restriction of admin privileges, patching of operating systems, the use of multi-factor authentication, and daily backups.
The ADS’s Top 4 strategies have been mandatory for federal agencies since an April 2013.
Parliament’s Joint Committee of Public Accounts and Audit last month recommended making the Essential Eight mandatory.
The strategies should be made mandatory by June 2018 for entities covered by the Public Governance, Performance and Accountability Act 2013, the committee recommended.