1. No category

Password Standard

Password Standard
Version 1.0 - June 2006
Password Standard
Password Standard
State Services Commission
June 2006
Version 1.0
ISBN 0–478–24465–7
Crown Copyright ©
NOTES
PASSWORD STANDARD
0
Foreword
The Networked State Services Development Goal (State Services Commission 2005a)
is that, by June 2010, the operation of government will have been transformed through
the use of the Internet. The challenge will be to transform government through enabling
technology, so that individuals and businesses have a better and more consistent experience
in their dealings with government, agencies work more closely with their customers and
with each other, and the cost of delivering services, both online and through other channels,
is reduced. This will require agencies to move beyond one-way provision of information
to two-way transactions.
Moving to two-way transactions requires parties to be confident of the identity of those they
are transacting with over the Internet. This is ‘authentication’.
The Government has recognised the importance and significance of authentication to the
e-government programme. In 2004 the State Services Commission was directed to undertake
a programme of work to develop all-of-government shared services for online authentication.
Integral to this programme of work was the development of a suite of authentication standards
to be incorporated into the New Zealand E-government Interoperability Framework (NZ
e-GIF). These standards give effect to the planning advice from the State Services Commission’s
2004 Authentication for e-government: Best Practice Framework for Authentication. They
outline current accepted good practice for the design (or re-design) of the authentication
component of online services that require confidence in the identity of transacting parties.
This Password Standard defines the password requirements for online services in the Low
Risk Category. Further information for the other service risk categories can be found in
the Guide to Authentication Standards for Online Services. A service within the Low Risk
Category requires one-factor authentication in the form of a password. The Authentication
Key Strengths Standard must be read in conjunction with this Standard, as it defines additional
requirements for services in the Low Risk Category not stated in this Standard.
NOTES
PASSWORD STANDARD
Contents
0
Foreword.................................................................................................................................. 3
1
Introduction.............................................................................................................................. 7
2
Scope........................................................................................................................................ 8
2.1
3
4
5
6
Other online service risks............................................................................................. 8
Background.............................................................................................................................. 9
3.1
Authentication standards.............................................................................................. 9
3.2
All-of-government authentication services................................................................ 10
Application of Standard......................................................................................................... 12
4.1
Audience.................................................................................................................... 12
4.2
NZ e-GIF status.......................................................................................................... 12
4.3
Accessing advice on this Standard............................................................................. 12
4.4
Interpretation.............................................................................................................. 12
4.5
Document structure.................................................................................................... 13
4.6
Terms and definitions................................................................................................. 13
Password Vulnerabilities and Attacks.................................................................................... 16
5.1
Password attacks........................................................................................................ 16
5.2
Other attacks............................................................................................................... 16
Password Minimum Requirements........................................................................................ 17
6.1
Association of passwords........................................................................................... 17
6.2
Using higher-level authentication keys...................................................................... 17
6.3
Customer advice and responsibilities......................................................................... 17
6.4
Password construction................................................................................................ 17
6.5
Password management............................................................................................... 18
6.6
Session logout............................................................................................................ 19
6.7
Access management................................................................................................... 19
Working group representation........................................................................................................... 20
Acknowledgement............................................................................................................................ 20
Copyright.......................................................................................................................................... 20
Referenced documents...................................................................................................................... 20
PASSWORD STANDARD
Latest revisions................................................................................................................................. 22
Review of standards.......................................................................................................................... 22
Appendix
A – Password advice for online service customers....................................................................... 23
B – Enrolment and reset password processes............................................................................... 26
Table
1 – Authentication standards and documents................................................................................. 9
Figure
1 – Outline of interactions with all-of-government authentication services................................ 11
PASSWORD STANDARD
1
Introduction
This Password Standard is one of the New Zealand E-government Interoperability Framework
(NZ e-GIF) authentication standards. These standards outline current accepted good practice
for the design (or re-design) of the authentication component for online services that require
confidence in the identity of parties transacting with government agencies.
The authentication process consists of establishing and then confirming the established
identity over time. Establishing identity requires verified evidence of a person’s identity,
so that he or she can be set up as an online service customer. The ongoing confirmation
of identity requires the use of an ‘authentication key’, such as a password, to authenticate
identity across the Internet.
The suite of authentication standards and documents comprises:
• Guide to Authentication Standards for Online Services
• Evidence of Identity Standard
• Authentication Key Strengths Standard
• Data Formats for Identity Records Standard
• Password Standard
• Other authentication key standards (to be developed)
• New Zealand Security Assertion Messaging Standard (in preparation)
• Guidance on Multi-factor Authentication
• Security Assertion Messaging Framework.
Further information on multi-factor authentication is contained in the document Guidance on
Multi-factor Authentication. The Guidance on Multi-factor Authentication may be superseded
once other authentication key standards are developed. The Security Assertion Messaging
Framework provides a general introduction to security assertion messaging. The Guide to
Authentication Standards for Online Services should be read before reading this Standard, as
it provides a high-level overview of the authentication standards.
This Standard gives the specific requirements for password authentication keys to be used
for online services in the Low Risk Category (the service risk categories are outlined in the
Evidence of Identity Standard). These requirements are given in section 6. Section 5 describes
relevant concepts, while the terms used in this Standard are defined in 4.6.
The Authentication Key Strengths Standard, to which this Standard is related, details more
general protections for online services. Therefore, agencies need to use the Authentication
Keys Strengths Standard in conjunction with this Standard as both standards contain
requirements for services within the Low Risk Category.
PASSWORD STANDARD
2
Scope
The password requirements of this Standard have been developed for government services
within the Low Risk Category that are delivered to agency customers through the interactive
online channel. The Authentication Key Strengths Standard considers broader threats to
authentication than those covered in this Standard. The requirements of the Authentication
Key Strengths Standard must also be followed.
The Government Logon Service (see 3.2) is a centralised authentication service and not
a service agency. Consequently, the requirements 6.1 and 6.2 of this Standard do not apply to
the Government Logon Service.
The authentication standards are to be used for services that deliver information classified as
UNCLASSIFIED, IN CONFIDENCE, or SENSITIVE only, as specified in the Government’s
Guidelines for Protection of Official Information.
Authentication is only one aspect of an agency’s security posture. Agencies are reminded
that they are required to comply with the Government’s security policies and instructions as
defined in:
• Security in the Government Sector (SIGS)
• New Zealand Government Information Technology Security Manual – NZSIT 400
(NZSIT 400).
2.1
Other online service risks
Agencies MUST undertake a risk assessment for those risks associated with the delivery of
their services through an interactive online channel. Agencies SHOULD follow the Australian
and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication
systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ
HB 436:2004 and SAA/SNZ HB 231:2004. Agencies also need to ensure there is adequate
business continuity planning for their online services.
Many authentication risks may be addressed by ensuring that the authentication system is
properly protected. The NZ e-GIF authentication standards do not give general advice for
securing authentication systems. Agencies should comply with SIGS, NZSIT 400, AS/NZS
ISO/IEC 17799:2006 and AS/ANZ ISO/IEC 27001:2006.
Risks also arise from the computing environments of customers. In general, these risks are
beyond the scope of the NZ e-GIF authentication standards and any recommendations are
limited in their enforcement. Agencies need to consider these risks when they perform the risk
assessment for an online service. Agencies should inform potential online service customers
of the related risks and provide access to material concerning customer responsibilities and
security education (see Appendix A for further advice).
Additionally, the NZ e-GIF authentication standards only consider the identity-related risk
of a service. Other risks to government services should also be analysed and addressed as
appropriate.
PASSWORD STANDARD
3
Background
3.1
Authentication standards
The NZ e-GIF authentication standards provide detailed guidance for agencies to follow
when designing their authentication solutions. In particular, the standards enable agencies
to determine the level of identity-related risk for each of their services and to identify
appropriate evidence of identity requirements (refer to the Evidence of Identity Standard)
and authentication key technologies.
Most online services delivered by government agencies are either anonymous (such as when
someone downloads a brochure from an agency’s website) or have low levels of identityrelated risk (such as when someone changes their address details). Services with low levels of
identity-related risk are typically authenticated using minimal levels of evidence of identity
requirements and a username and password for ongoing confirmation of identity.
NOTE – Change of address is a generic example. For some services, change of address may have a high
level of identity-related risk.
To meet the Networked State Services Development Goals, agencies will need to provide online
services that have higher levels of identity-related risk. This will require the implementation
of authentication solutions with more rigorous evidence of identity requirements and higher
strength authentication keys.
Table 1 describes the purpose of each of the authentication standards and documents.
Table 1 –­ Authentication standards and documents
Standard/document name
Purpose
Guide to Authentication Standards
for Online Services
Provides a high-level overview of the NZ e-GIF
authentication standards.
Evidence of Identity Standard
Specifies a business process for establishing
the identity of government agency customers.
Applies to offline as well as online services.
Authentication Key Strengths
Standard
Specifies the authentication keys to be used for
online authentication and protections necessary
for the authentication exchange.
Data Formats for Identity
Records Standard
Specifies data formats for a set of customer
information data elements that government
agencies may use in customer identity records.
Password Standard
Specifies requirements for passwords used for
online authentication.
Other authentication key standards
(to be developed) *
Specify the requirements for two-factor
authentication keys used for online
authentication.
New Zealand Security Assertion
Messaging Standard (in preparation)
Specifies messaging standards for
communicating authentication assertions.
PASSWORD STANDARD
Table 1 –­ Authentication standards and documents (continued)
Standard/document name
Purpose
Guidance on Multi-factor
Authentication
Provides an overview of multi-factor
authentication. May be superseded once other
authentication key standards are developed.
Not a NZ e-GIF standard.
Security Assertion Messaging
Framework
Provides a general introduction to security
assertion messaging. Not a NZ e-GIF standard.
*Other authentication key standards are designated for future work and, until they are
published, agencies should consult the Government Communications Security Bureau
(GCSB) and refer to SIGS and NZSIT 400.
3.2
All-of-government authentication services
As well as supporting the implementation of individual agency authentication solutions, the
authentication standards will support the all-of-government authentication services – the
Government Logon Service (GLS) and the Identity Verification Service (IVS). These shared
services will allow agencies to devolve the management of the authentication component of
online services.
The GLS is a website that will allow people to access government online services more
conveniently by using a single authentication key, such as a password. The IVS will allow
people to establish their identity once so that they do not have to establish their identity
separately with each agency they transact with. The GLS is currently being built and the IVS
is in the design stage. See 4.6 for definitions of GLS and IVS.
Agencies will interact with these shared services as follows:
• Registration – evidence of identity is established (IVS) and an authentication key
is associated with the customer (GLS)
• First-time service – agencies verify identity for the customer’s first access (GLS and
IVS) and link identity data and authentication key details. Agencies may also link a range
of service-specific data
• Repeat service – agencies confirm the identity of customers for ongoing access (GLS).
These interactions are shown in Figure 1 (State Services Commission 2005b).
10
PASSWORD STANDARD
Figure 1 – Outline of interactions with all-of-government authentication services
Registration
Establish
identity
Issue
key
IVS*
GLS†
First-time
service
IVS
GLS
Repeat
service
GLS
*Identity Verification Service
†
Government Logon Service
Where agencies adopt one or more of these shared services, they must adopt the standards
relating to the functions of those services. In some cases, adopting the service automatically
adopts and implements the relevant standards. For example, if an agency adopts the GLS, all
passwords provided by this service will comply with this Password Standard. The agency
would, however, still need to assess its requirements for evidence of identity processes and
appropriate key strengths, using the relevant authentication standards.
Agencies not using these shared services will have to comply with all of the authentication
standards.
11
PASSWORD STANDARD
4
Application of Standard
4.1
Audience
The intended audiences for this Standard are those people responsible for the development,
management and security of agency information and IT systems, including:
• technical analysts
• architects and developers
• information and IT managers and administrators
• IT security managers and administrators
• outsourcers and other parties providing IT or security services to agencies.
Readers of this Standard are assumed to be familiar with information security concepts
and practices.
4.2
NZ e-GIF status
Upon approval by the e-GIF Management Committee, this Standard will enter the NZ e-GIF
as Under development (U), and graduate to Recommended (R) after a successful, documented
implementation. This Standard is expected to graduate to Adopted (A) once there is a track
record of proven successful implementation.
For guidance on agency responsibilities for compliance with NZ e-GIF standards at each
status level, refer to the latest version of the NZ e-GIF (www.e.govt.nz).
4.3
Accessing advice on this Standard
Advice on this Standard can be obtained from:
e-GIF Operations
State Services Commission
Postal:
PO Box 329, WELLINGTON
Phone:
04 495 6600
Fax:
04 495 6669
Email:
[email protected]
Web:
www.e.govt.nz
The State Services Commission is the agency responsible for this Standard.
4.4
Interpretation
The following words, defined in Key Words for Use in RFCs to Indicate Requirement Levels
(RFC 2119), are used in this Standard:
• ‘MUST’ – identifies a mandatory requirement for compliance with this Standard.
• ‘SHOULD’ – refers to practices that are advised or recommended.
12
PASSWORD STANDARD
Agencies deviating from a ‘SHOULD’, MUST document:
• the reason for the deviation
• an assessment of the residual risk resulting from the deviation
• a date by which the decision will be reviewed
• management’s approval of the above.
When cross-referencing sections of this Standard, only the number may be quoted.
The full titles of referenced documents cited in this Standard are given in the list of referenced
documents at the end.
4.5
Document structure
Section 2 covers the scope of this Standard and also outlines further sources for those elements
not covered by this Standard. Section 3 provides details on the NZ e-GIF authentication
standards and also discusses the all-of-government authentication shared services. Section 5
briefly discusses vulnerabilities, threats and attacks. The requirements of this Standard are
given in section 6.
4.6
Terms and definitions
For the purposes of this Standard, the following definitions apply:
Term
Definition
General
Authentication
Process of establishing, to the required level of confidence, the
identity of one or more parties to a transaction. Consists of identity
management (establishing who you are) and logon management
(confirming who you are). In particular, for this Standard authentication
is used in the commonly understood sense of a customer logging onto
a service with their username and authentication key. This is consistent
with the logon management aspect of the general authentication
definition above.
Authentication key
Method used by an individual to authenticate his or her identity over
the Internet. Examples of authentication keys include passwords,
one-time passwords, software tokens, hardware tokens and biometrics.
Authentication keys are also referred to as keys.
Government Logon Service (GLS)
An all-of-government shared service that provides ongoing
re-confirmation of online identity to participating agencies to the
desired level of confidence.
Identity-related risk
Any risk for a particular service that results from an individual’s
identity being incorrectly attributed. Also refer to the Evidence of
Identity Standard for further details.
Initial password
Password that is issued to the customer and used only for the first
authentication.
13
PASSWORD STANDARD
Term
Definition
General (continued)
Identity Verification Service (IVS)
An all-of-government shared service that provides individuals with the
option to verify their identity authoritatively, online, and in real-time
with participating agencies to a passport-level of confidence.
Low Risk Category
Services in this category have been assessed as having a low level
of identity-related risk. For further details, refer to the Evidence of
Identity Standard.
Online service
Service that an agency offers through an interactive online delivery
channel.
Password
Static secret, usually composed of keyboard characters, which is used
as the authentication key.
Reset password
Password that is issued to the customer following identity verification
procedures when the customer has forgotten his/her password or been
locked out from the authentication system.
Strong password
Password that is resistant to brute force guessing, common password,
dictionary and pre-knowledge guessing attacks.
Username
Construction of alphanumeric characters that is used to identify a
customer within the authentication system (the username is used to
identify the customer, or rather the authentication key, to the verifier
as part of the authentication process).
Entities involved in the authentication process
Customer
Person who claims some identity, which undergoes the authentication
process. The identity claim may be based on a username.
Verifier
Entity that performs the procedures for verifying the claim of identity
for customers. The verifier and the service provider may be separate
entities.
Password attacks
Brute force guessing attacks
Where an attacker tries to guess a specific customer’s password by
trying every possible valid password (i.e. passwords that are made up
from combinations from the set of valid password characters).
Common password attacks
Where an attacker tries commonly used passwords (such as obvious
variations of ‘password’, ‘logon’, etc.) against all the usernames they
know or can guess.
Dictionary attacks
Where an attacker tries every word from a collection, called a
dictionary, against a username to find a legitimate password. The
collection may be hashed or encrypted, depending on the way in which
passwords are stored.
Key logger attacks
Malicious code or hardware attacks that capture the keystrokes of
a customer with the intention of obtaining any password typed in by
the customer.
14
PASSWORD STANDARD
Term
Definition
Password attacks (continued)
Phishing attacks
Social engineering attacks that use forged web pages, emails, or other
electronic communications to convince the customer to reveal their
password or other sensitive information to the attacker.
Pre-knowledge guessing attacks
Where an attacker tries to guess a specific customer’s password, using
knowledge of the customer’s personal details, preferences, etc.
Shoulder surfing attacks
Social engineering attacks where the attacker covertly observes the
password when the customer enters it.
Social engineering attacks
Attacks that are aimed at obtaining authentication keys or data by
fooling the customer into using an insecure authentication protocol,
or into loading malicious code onto the customer’s computer. Attacks
may also be aimed at the verification process, for example by trying
to trick help desk staff into accepting a false story.
15
PASSWORD STANDARD
5
Password Vulnerabilities and Attacks
This section briefly reviews relevant concepts relating to the use of passwords for
authentication, focusing on those that are important to section 6. General concepts relating to
online authentication are found in the Authentication Key Strengths Standard.
A number of possible vulnerabilities arise from the use of passwords:
• they could be guessed
• they could be forgotten
• they could be shared
• they could be written down and subsequently lost or stolen.
Measures mitigating one of these vulnerabilities can increase exposure to another.
For example, strong passwords can be difficult to remember and this may lead to their being
forgotten or written down and subsequently stolen.
5.1
Password attacks
The primary attacks against passwords considered in this Standard are brute force guessing
attacks, common password attacks, dictionary attacks, and pre-knowledge guessing attacks.
The use of strong passwords, system protection of password files, and logon failure
management measures provides protection against such attacks. Logon audit requirements
must be sourced from the Authentication Key Strengths Standard. Authentication protocol
attacks for the exchange of the password between the customer and the verifier are also
covered in the Authentication Key Strengths Standard.
5.2
Other attacks
Strong passwords do not afford protection against key logger, phishing and shoulder surfing
attacks. These attacks relate to the use of passwords and are forms of general attacks
considered in the Authentication Key Strengths Standard.
Education and advice for the customer are methods to combat these attacks. For example,
advice on key logger attacks would cover the security of the customer’s computing
environment, while education mitigates threats from phishing and shoulder surfing attacks.
This list of attacks is not meant to be complete and attacks continue to evolve and to be
developed. Agencies implementing online services are advised to contact the Centre for
Critical Infrastructure Protection or the GCSB, in addition to referring to SIGS, NZSIT 400,
AS/NZS ISO/IEC 17799:2006, AS/NZS ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004.
Appendix A provides more information on password advice for online service customers.
16
PASSWORD STANDARD
6
Password Minimum Requirements
This section sets out the minimum requirements for the delivery of online services within the
Low Risk Category, focusing in particular on the attacks discussed in 5.1. Requirements from
the Authentication Key Strengths Standard for services in the Low Risk Category MUST also
be followed.
Agencies MUST undertake a risk assessment for those risks associated with the delivery of
their services through an interactive online channel. Agencies SHOULD follow the Australian
and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication
systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB
436:2004 and SAA/SNZ HB 231:2004.
6.1
Association of passwords
An agency MUST associate a password with a customer, only when the customer has satisfied
the evidence of identity requirements designated for services in the Low Risk Category in the
Evidence of Identity Standard.
6.2
Using higher-level authentication keys
Agencies SHOULD give customers who have been associated with an authentication key for
services in a higher risk category the choice to use this higher-level authentication key for
services in a lower risk category on a casual or permanent basis. This can only happen if the
agency’s authentication system supports the use of a higher-level authentication key.
6.3
Customer advice and responsibilities
Agencies MUST provide advice on how customers can fulfil their security responsibilities in
terms of constructing acceptable passwords and methods for managing passwords. Advice
MUST cover construction requirements, methods for constructing strong passwords, password
management practices and computing environment protection. These details SHOULD at
least cover the topics in Appendix A. For further requirements concerning agency provision
of advice for customers, refer to SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006, AS/NZS
ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004.
6.4
Password construction
6.4.1
Agencies MUST use passwords generated by the customer, except in the case of initial
or reset passwords, which are generated as described in 6.5.3.
6.4.2
Passwords MUST be a minimum of seven (7) characters and contain characters from at least
three (3) of the following sets:
1. Lowercase characters (a-z).
2. Uppercase characters (A-Z).
3. Digits (0-9).
4. Punctuation and special characters (for example, !@#$%^&*).
17
PASSWORD STANDARD
6.4.3
The password system MUST enforce the requirements of 6.4.2 for passwords generated
by the customer at the initial setting. (Requirements for system-generated passwords are
described under 6.5.3).
6.4.4
Agency password systems MUST accept as distinct all the characters of 6.4.2 (1 to 4).
(For example, the password system shall be able to distinguish between upper case and lower
case alphabet characters when they are used in customer passwords.)
6.5
Password management
6.5.1
Agencies MUST:
1. Protect passwords in storage and during the online authentication exchange. (Requirements
for the authentication exchange protection of passwords are detailed in the Authentication
Key Strengths Standard.)
2. Require passwords to be changed at least every 12 months.
3. Retain a history of at least the last six (6) passwords used by a customer.
4. Ensure that the customer does not use a password from their password history.
5. Require the customer to change an initial logon or a reset password immediately following
authentication with that password.
6.5.2
Agencies SHOULD disallow customer-generated passwords at creation that are predictable or
guessable choices. For example, obvious combinations or variations involving the username,
dates, ‘password’ or ‘logon’ SHOULD be excluded.
NOTE – Commonly used and easily guessed passwords, like ‘password’, ‘Passw0rd’, ‘L0g0n01’,
‘Sign0n1’, etc. should be excluded by checking passwords against a password dictionary containing
the passwords to be rejected.
6.5.3
Agencies MUST use pseudo-random, system-generated passwords for initial or reset
passwords. Such passwords MUST comply with 6.4.2.
6.5.4
Agencies MUST allow customers to change their password and make this service available
from the logon page.
6.5.5
Agencies MUST ensure passwords are not displayed on screens when entered.
6.5.6
Agencies MUST require customers to enter a new password at least twice.
18
PASSWORD STANDARD
6.5.7
An agency MUST expire a customer’s password, so that it can no longer be used, when
the customer chooses to use their higher-level authentication key to access all of the
agency’s services in the Low Risk Category on a permanent basis. The authentication key
requirements are prescribed in the Authentication Key Strengths Standard (refer to Table 1
of that Standard).
6.5.8
Agencies SHOULD allow customers to suspend their account.
6.6
Session logout
Agencies MUST configure their online services to log out a customer following 15 minutes
of inactivity.
NOTE – Filling out forms etc. may not be detected as activity, so agency services need to be
appropriately designed.
6.7
Access management
6.7.1
Agencies MUST:
1. Lockout the customer username after no more than five (5) consecutive unsuccessful
password attempts against the customer username.
2. Provide access to a password reset page from the logon page (this may be used by
customers who know they have forgotten their password).
3. Perform a risk assessment to ensure the strength of the enrolment and password reset
processes are consistent with the strength of the password requirements given in this
Standard (advice is given in Appendix B).
NOTE – To defend against denial of service attacks, agencies may consider using time delays following
a series of unsuccessful password attempts.
6.7.2
Agencies SHOULD:
1. Disable inactive accounts following a period of no more than 24 months.
2. Inform customers prior to disabling their accounts, so that there is time for responses
to be considered.
19
PASSWORD STANDARD
Working group representation
The following organisations contributed representatives to the Authentication Keys
working group:
Accident Compensation Corporation
Auckland City Council
BSA Limited
Gen-i
Government Communications Security Bureau
IBM New Zealand Limited
Inland Revenue
Land Information New Zealand
Land Transport New Zealand
Ministry of Education
Ministry of Health
Ministry of Social Development
New Zealand Customs Service
New Zealand Police
State Services Commission
Acknowledgement
The State Services Commission gratefully acknowledges the contribution of time and
expertise from all those involved in developing this Standard. During the development of
this Standard, the working group used both NZSIT 400 and the Electronic Authentication
Guideline (NIST 800-63).
Copyright
This Standard is subject to Crown copyright. The material may be used, copied and redistributed free of charge in any format or media, provided that the source and copyright
status is acknowledged (i.e. this material was produced by the State Services Commission ©
Crown copyright 2006).
Referenced documents
20
Joint Australian/New Zealand Standards and Handbooks
AS/NZS ISO/IEC 17799:2006
Information technology – security techniques – code of
practice for information security management.
www.standards.co.nz
AS/NZS ISO/IEC 27001:2006
Information technology – security techniques – information
security management systems – requirements.
www.standards.co.nz
PASSWORD STANDARD
AS/NZS 4360:2004
Risk management (Australian/New Zealand Standard).
www.standards.co.nz
SAA/SNZ HB 231:2004
Information
(Australian/New Zealand handbook).
www.standards.co.nz
SAA/SNZ HB 436:2004
Risk management guidelines – companion to AS/NZS
4360:2004 (Australian/New Zealand handbook).
www.standards.co.nz
security
risk
management
guidelines
American Standard
National Institute of Standards and Technology. 2006. Electronic authentication guideline
(NIST 800-63). Version 1.0.2. www.csrc.nist. govt
Other
Asia Oceania Electronic Marketplace Association (AOEMA). 2002. SafetyNet guide.
www.aoema.org
Bradner, S. March 1997. Key words for use in RFCs to indicate requirement levels.
(RFC 2119). www.ietf.org
Department of Internal Affairs. 2006. Evidence of identity standard. Version 1.0.
www.dia.govt.nz
Department of the Prime Minister and Cabinet. 2002. Security in the government sector
(SIGS). www.security.govt.nz
Department of the Prime Minister and Cabinet. 2001. Guidelines for protection of official
information. www.security.govt.nz
Government Communications Security Bureau. October 2005. New Zealand Government
information technology security manual – NZSIT 400 (NZSIT 400). Version 1.0.
www.security.govt.nz
State Services Commission. 2006. Authentication key strengths standard. Version 1.0.
www.e.govt.nz
State Services Commission. 2006. Data formats for identity records standard. Version 1.0.
www.e.govt.nz
State Services Commission. 2006. Guidance on multi-factor authentication. www.e.govt.nz
21
PASSWORD STANDARD
State Services Commission. 2006. Guide to authentication standards for online services.
Version 1.0. www.e.govt.nz
State Services Commission. 2006. New Zealand e-government interoperability framework
(NZ e-GIF). Version 3.0. www.e.govt.nz
State Services Commission. 2006. Security assertion messaging framework. www.e.govt.nz
State Services Commission. 2005a. Development goals for the State Services. www.e.govt.nz
State Services Commission. 2005b. Authentication for e-government: Government Logon
Service design overview. www.e.govt.nz
State Services Commission. 2004. Authentication for e-government: best practice framework
for authentication. www.e.govt.nz
State Services Commission. New Zealand security assertion messaging standard.
(In preparation.) www.e.govt.nz
Related Websites
www.aoema.org
www.ccip.govt.nz
www.dia.govt.nz
www.e.govt.nz
www.gcsb.govt.nz
www.netsafe.org.nz
www.security.govt.nz
www.ssc.govt.nz
Latest revisions
This Standard is to be reviewed from time to time by the working group, so that it keeps up
to date with changes in the sector.
Users should ensure they access the latest revisions of the NZ e-GIF authentication standards,
including amendments (if any). These can be found at www.e.govt.nz. Users should also
access the latest revisions of the documents included in the list of referenced documents set
out in this Standard.
Review of standards
Suggestions for improvement of this Standard are welcomed. They should be sent to
the Manager, e-GIF Operations, State Services Commission, PO Box 329, Wellington.
Alternatively, suggestions can be sent by email to [email protected]
22
PASSWORD STANDARD
Appendix A – Password advice for online service customers
Education and advice for customers using agency online services can benefit the overall
security of the authentication system. Advice covering password use should include the
following elements:
• password construction requirements and advice
• methods for constructing strong and memorable passwords
• password management advice
• life cycle requirements that affect the password’s use (time limits on use, cycling limits, etc.)
• recommended protections for the customer’s computing environment
• customer responsibilities
• processes and procedures relating to compromise or suspected compromise of the
password.
Other sources of advice for customer education include the Authentication Key Strengths
Standard, the Internet Safety Group (www.netsafe.org.nz) and the AOEMA SafetyNet Guide
(available from www.aoema.org). Sample guidelines are included below. Agencies may
modify these to suit their needs.
A.1
Sample guidelines for the safe use of passwords to access online services
Introduction
As a user of online systems it is important that you understand the use of passwords as
a significant component of Internet security. This document sets out to provide some current
best practices for the use of passwords.
Responsibility
Providers of online services undertake a number of measures to protect your privacy and
the security of your transactions. Providers deploy a number of controls to enforce good
password construction and management. There is a limit, however, to a provider’s ability
to ensure security.
Users have an important role to play in ensuring that security controls are effective. As a user
of online systems, you are ultimately responsible for your own behaviour when accessing
agency services online.
How to be safe
There are three elements that enable the safe use of passwords for accessing online services:
1. Good password construction.
2. Careful password management.
3. Password protection.
23
PASSWORD STANDARD
The following should help ensure that all three elements are taken into account.
Password construction
Do
• Use a password that you can easily remember but is hard to guess. This can be achieved by
applying a rule to a word or phrase (see sample methods below).
• Use a password that contains a combination of letters, numbers and symbols.
• Use a password with mixed-case letters. This does not mean simply capitalising the first letter.
Avoid
• Using your username in any form (reversed, capitalised, doubled) as a password.
• Using your first, middle or last name in any form.
• Using your initials or any nicknames you may have.
• Using a word contained in English or foreign dictionaries, spelling lists, or other word lists.
• Using information about you that could be easily obtained. This includes pet names, licence
plate numbers, telephone numbers, the brand of your vehicle, the name of the street you live
on, and so on. Such passwords are very easily guessed by someone who knows you.
• Using a password of all numbers or a password composed of all alphabet characters.
• Using a simple word within a password and simply adding incremental numbers.
Password management
Do
• Change passwords regularly. This stops continued access by someone who has already
compromised your account. The sensitivity of the information that you are working with
should determine the frequency with which you change a password.
Avoid
• Using the same password twice.
• Sharing your username and password with a group. Accountability for group access is
extremely problematic. You could end up sharing the blame for, or cost of, activity for which
you were not responsible.
• Attempting more than five times to enter your username and password. This will generally
result in your account being automatically locked out.
Password protection
Do
• Write down seldom used passwords provided that any paper copy is stored securely and
destroyed when no longer needed. Suitable secure storage would include a sealed envelope
within a home safe.
• Check for a ‘closed’ padlock in the lower right-hand corner of your browser and that ‘http:’
has changed to ‘https:’ on the address bar before entering your password. This indicates that
a secure channel has been provided by your service agency.
• Install a firewall, antivirus and anti-spyware software on computers that you intend to use
online services from and keep these and your operating system updated.
24
PASSWORD STANDARD
Password protection (continued)
Avoid
• Using online services from ‘un-trusted’ or shared computers such as Internet cafes.
• Using a password on an account for secure online services that you also use for low-security
purposes (e.g. webmail logon).
• Writing a password on sticky notes, desk pads, calendars, or storing it online, where it can be
accessed by others.
• Revealing your password to any other person. (You will never be asked for your password
by a legitimate system administrator.)
• Storing your username and password within your browser.
Sample methods for creating safe and memorable passwords
There are a number of ways to create safe and memorable passwords. The following examples
show two popular techniques.
Method 1
Start with a meaningful phrase or saying and then apply rules. The following is an example
of this technique:
a. The short phrase is ‘My favourite place in New Zealand is Auckland’.
b. Rule number 1 is to use the first letters of each word. The phrase in our example yields
the password; MfpiNZiA.
c. Rule number 2 is to apply character substitutions such as a=@, i=1. (Don’t use this rule
alone with a single word as this is easily broken.)
d. Combine rules 1 and 2 to add symbols and numbers to this password. In this example the
password then becomes Mfp1NZ1@.
Method 2
Combine two or three short words with capitalisation and symbols. One or more rules can
then be applied to further enhance the password. The benefit of this approach is that passwords
can often be ‘sounded out’, making them more memorable. The following are examples of
this technique:
a. Use the words ‘top 80 percent’ to create ‘toP8TY%’.
b. Use the words ‘down’ and ‘bat’ to create ‘dOwn#B@t’.
c. Apply a rule that reverses the first word. In the examples above the passwords would then
become ‘Pot8TY%’ and ‘nwOd#B@t’.
NOTE –
(1) Simply using character substitution on a simple dictionary word or name may not create
a safe password.
(2) Do not use any of the above examples in real situations.
25
PASSWORD STANDARD
Appendix B – Enrolment and reset password processes
It is important that the enrolment and reset password processes do not degrade the security
of the authentication solution. Reset password processes are the processes followed when
a customer has forgotten his or her password or when the customer has been locked out
from the authentication system. This should not be confused with the process of a customer
changing his or her password. The agency must undertake a risk assessment for these
processes. Some options for the enrolment and reset password processes are outlined below.
These are not the only acceptable options.
B.1 Enrolment processes
An agency customer is required to complete the Evidence of Identity (EOI) process with the
agency (from the Evidence of Identity Standard) as part of the enrolment process for online
service delivery. The enrolment steps are depicted in the diagram below. The processes for
enrolment have not been specifically detailed in the authentication standards and so need
to be determined by the agency.
Normally, the EOI process requires the physical presence of the customer at the agency. The
association of a password to a customer will not be activated for service requests until the
customer has satisfied the EOI requirements. To be set up for online service delivery, the
customer may:
• enter their password while at the agency completing the EOI process
• have already entered a password, which is then associated to their identity when they
complete the EOI process at the agency
• complete the EOI process at the agency and take away an initial password that is only
used for their first logon.
B.2 Reset password processes
Processes for resetting a customer’s password, in cases where a password is forgotten, also
need to be developed by the agency. The steps for password reset are depicted in the diagram
below. The ‘authenticate customer’ and ‘distribute reset password’ steps directly affect the
security of the authentication system.
26
PASSWORD STANDARD
Again there are many acceptable options. The agency may use a number of communication
channels to perform the ‘authenticate customer’ and ‘distribute reset password’ steps. The
channels employed may be different for these two steps in any password reset process.
B2.1 Online challenge response questions and reset password distribution
A set of questions and answers is recorded when the customer initially sets his or her password.
The questions can be a combination of customer-selected questions and questions set by the
agency. (The agency may set some questions to ensure a certain strength is achieved with
the question set.) As part of the password reset process, the customer is required to correctly
answer a subset of their recorded questions set before a reset password is issued. The strength
of this process should be consistent with the strength of password requirements of the
Password Standard to ensure that the password requirements are not undermined and that
the question and answer process is appropriate. The customer should periodically be asked to
confirm their questions and answers (this may occur when the customer needs to change an
expired password). Agencies should also allow customers to update and alter their questions
and answers. The reset password may be sent using the customer’s registered email address,
home address, or cellphone (as either an SMS text-message or a voice-message). Using the
registered contact details of the customer provides an additional check in the password reset
process. Solutions that simply display the password on the screen or allow the customer to
have the password sent to another address are not acceptable.
B2.2 Call centre challenge response questions and reset password distribution
The customer may also be able to access a call centre for password reset. In this case the
questions and answers may not necessarily be taken from a recorded set but may rely on
knowledge that the agency has of the customer. For example, the agency may use a combination
of address details, transaction details and specific customer details shared by the agency and
the customer (such as customer number or correspondence codes). Call centre staff should
receive training in the risks of social engineering and fraud and the necessary practices to
defend against such attacks. Where possible, reset passwords should be distributed in the
manner described in the online setting.
27
NOTES

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz