||NZISM Security Benchmark AC-4
||Access Control and Passwords
||16.1.40 Password selection policy
||Agencies SHOULD implement a password policy enforcing either:
a minimum password length of 16 characters with no complexity requirement; or
-a minimum password length of ten characters, consisting of atleast three of the following character sets:
- lowercase characters (a-z);
- uppercase characters (A-Z);
- digits (0-9); and
- punctuation and special characters.
||Passwords are the primary authentication mechanism for almost all information systems and are fundamental part of access and authentication processes and mechanisms. While there are some limitations in the use of passwords, they remain the most cost effective means available with current technology.
Passwords are subject to three principal groups of risks:
Intentional password sharing;
Password theft, loss or compromise; and
Password guessing and cracking.
Associated with these risk groups are four principal methods of attacking passwords:
Interactive attempts including password guessing, brute force attacks or some knowledge of the user or agency.
Obtaining the password through social engineering or phishing.
Compromising the password through oversight, observation, use of keyloggers, cameras etc.
Cracking through network traffic interception, misconfiguration, malware, data capture etc. For example a simple eight-letter password can today be brute-forced in minutes by software freely available on the Internet.
Password controls are designed to manage these risks and attack methods using the controls specified in this section. For example, passwords with at least ten characters utilising upper and lower case, numbers and special characters have a much greater resistance to brute force attacks. When use in combination with controls such as password history and regular password change, passwords can present high resistance to known attack methods.