Download ASD Protect Notice Passphrase requirements (PDF), October 2017
First published October 2017
- The Australian Signals Directorate (ASD) strongly encourages that access to systems and online services are controlled via robust user identification and authentication practices, ideally using multi-factor authentication.
- While user authentication guidance may vary from organisation to organisation (see UK NCSC Password Guidance, US IAD Secure Host Baseline, Microsoft Security Baseline for Win10 and US NIST SP 800-63 Digital Identity Guidelines), ASD’s guidance is based on the ability of systems to protect themselves against legitimate real-world attack scenarios while balancing both security and usability requirements.
- ASD acknowledges NIST’s requirements in SP 800-63 revision 3 (table 6-1) and SP 800-63B (table 4-1) requiring multi-factor authentication as a minimum for systems and online services that process personally identifiable, sensitive or classified information (i.e. Assurance Level 2 or 3). In implementing multi-factor authentication involving memorised secrets (i.e. passwords), NIST also recommends a minimum of eight characters for the password component if user-chosen or six characters if randomly-generated.
- ASD acknowledges that implementing multi-factor authentication is not always possible. As such, should a system owner choose to implement passphrases as the sole method of authentication, ASD recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement. Alternatively, if a system owner prefers a shorter passphrase policy, at least 10 characters with complexity (i.e. involving at least three different character sets) could be used. Note, for some systems such as smartphones, alternative requirements for user authentication may be outlined within a specific hardening guide published by ASD for that particular device.
- When using passphrases as the sole method of authentication, ASD encourages the use of longer passphrases without complexity as they are often much easier for users to remember yet provide the same, or greater, level of protection as shorter passphrases with complexity. ASD also encourages system owners to consider whether passphrases need to expire or not for different account types.
- Some adversaries may publicly announce they have compromised a system, and post compromised user account details online (see TechCrunch 117 million LinkedIn emails and passwords from a 2012 hack just got posted online and The Guardian Spambot leaks 700m email addresses). Many other adversaries may choose to stay silent and continue the exploitation of a system rather than have a system owner force a system-wide passphrase reset. In these cases it may be months or even years before the users are made aware that their accounts had been compromised (see The Register 3bn Yahoo accounts hacked and The Guardian Deloitte hit by cyber-attack). In Mandiant’s M-Trends 2017 Report it was noted the average time between system compromise and detection is still 99 days. As such, system owners should monitor for unusual login activity indicating potentially stolen user credentials being used on their systems.
- Finally, as the computational power available to conduct offline brute-force attacks continues to increase, in most cases so will the requirement for longer passphrases when used as the sole method of authentication. As this is not sustainable long term, ASD strongly encourages the adoption of multi-factor authentication by organisations especially for risky activities such as remote access, conducting privileged activities and accessing important (sensitive or high-availability) data repositories. This is one of ASD’s Essential Eight mitigation strategies.
- This document complements the advice in the Australian Government Information Security Manual.
- ASD's Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.
- Further information on the use of multi-factor authentication can be found in ASD’s Multi-factor Authentication publication.
Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.