Download ASD Protect: Passphrase Requirements (PDF), November 2017
First published October 2017; updated November 2017
- The Australian Cyber Security Centre (ACSC) strongly encourages that access to systems and online services are controlled via robust user identification and authentication practices, ideally using multi-factor authentication.
- While user authentication guidance may vary from organisation to organisation(see UK NCSC: Password Guidance, US IAD: Secure Host Baseline, Microsoft: Security Baseline for Windows 10 and US NIST: SP 800-63 Digital Identity Guidelines), the ACSC’s guidance is based on the ability of systems to protect themselves against legitimate real-world attack scenarios while balancing both security and usability requirements.
- The ACSC acknowledges NIST’s requirements in SP 800-63 revision 3 (table 6-1) and SP 800-63B (table 4-1) requiring multi-factor authentication as a minimum for systems and online services that process personally identifiable, sensitive or classified information (i.e. Assurance Level 2 or 3). In implementing multi-factor authentication involving memorised secrets (i.e. passwords), NIST also recommends a minimum of eight characters for the password component if user-chosen or six characters if randomly-chosen.
- The ACSC acknowledges that implementing multi-factor authentication is not always possible. As such, should a system owner choose to implement passphrases as the sole method of authentication, the ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement. Alternatively, if a system owner prefers a shorter passphrase policy, at least 10 characters with complexity (i.e. involving at least three different character sets) could be used. Note, for some systems such as smartphones, alternative requirements for user authentication may be outlined within a specific hardening guide published by the ACSC for that particular device.
- When using passphrases as the sole method of authentication, the ACSC encourages the use of longer passphrases without complexity as they are often much easier for users to remember yet provide the same, or greater, level of protection as shorter passphrases with complexity. The ACSC also encourages system owners to consider whether passphrases need to expire or not for different account types.
- Some adversaries may publicly announce they have compromised a system, and post compromised user account details online (TechCrunch: 117 million LinkedIn emails and passwords from a 2012 hack just got posted online and The Guardian: Spambot leaks 700m email addresses in massive data breach). Many other adversaries may choose to stay silent and continue the exploitation of a system rather than have a system owner force a system-wide passphrase reset. In these cases it may be months or even years before the users are made aware that their accounts had been compromised (The Register: 3bn Yahoo accounts hacked and The Guardian: Deloitte hit by cyber-attack). In Mandiant’s M-Trends 2017 Report it was noted the average time between system compromise and detection is still 99 days. As such, system owners should monitor for unusual login activity indicating potentially stolen user credentials being used on their systems.
- Finally, as the computational power available to conduct offline brute-force attacks continues to increase, in most cases so will the requirement for longer passphrases when used as the sole method of authentication. As this is not sustainable long term, the ACSC strongly encourages the adoption of multi-factor authentication by organisations especially for risky activities such as remote access, conducting privileged activities and accessing important (sensitive or high-availability) data repositories. This is one of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.
- The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
- The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
- Further information on the use of multi-factor authentication can be found in the Multi-factor Authentication publication.
- Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).