Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Password Standard » Appendix A - Password advice for online service customers

Appendix A - Password advice for online service customers

Education and advice for customers using agency online services can benefit the overall security of the authentication system. Advice covering password use should include the following elements:

  • password construction requirements and advice
  • methods for constructing strong and memorable passwords
  • password management advice
  • life cycle requirements that affect the password's use (time limits on use, cycling limits, etc.)
  • recommended protections for the customer's computing environment
  • customer responsibilities
  • processes and procedures relating to compromise or suspected compromise of the password.

Other sources of advice for customer education include the Authentication Key Strengths Standard, the Internet Safety Group (www.netsafe.org.nz) and the AOEMA SafetyNet Guide (available from www.aoema.org). Sample guidelines are included below. Agencies may modify these to suit their needs.

A.1 Sample guidelines for the safe use of passwords to access online services

Introduction

As a user of online systems it is important that you understand the use of passwords as a significant component of Internet security. This document sets out to provide some current best practices for the use of passwords.

Responsibility

Providers of online services undertake a number of measures to protect your privacy and the security of your transactions. Providers deploy a number of controls to enforce good password construction and management. There is a limit, however, to a provider's ability to ensure security.

Users have an important role to play in ensuring that security controls are effective. As a user of online systems, you are ultimately responsible for your own behaviour when accessing agency services online.

How to be safe

There are three elements that enable the safe use of passwords for accessing online services:

1. Good password construction.

2. Careful password management.

3. Password protection.

The following should help ensure that all three elements are taken into account.

How to keep your password safe

Password construction

Do
  • Use a password that you can easily remember but is hard to guess. This can be achieved by applying a rule to a word or phrase (see sample methods below).
  • Use a password that contains a combination of letters, numbers and symbols.
  • Use a password with mixed-case letters. This does not mean simply capitalising the first letter.

Avoid
  • Using your username in any form (reversed, capitalised, doubled) as a password.
  • Using your first, middle or last name in any form.
  • Using your initials or any nicknames you may have.
  • Using a word contained in English or foreign dictionaries, spelling lists, or other word lists.
  • Using information about you that could be easily obtained. This includes pet names, licence plate numbers, telephone numbers, the brand of your vehicle, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows you.
  • Using a password of all numbers or a password composed of all alphabet characters.
  • Using a simple word within a password and simply adding incremental numbers.

Password management

Do
  • Change passwords regularly. This stops continued access by someone who has already compromised your account. The sensitivity of the information that you are working with should determine the frequency with which you change a password.

Avoid
  • Using the same password twice.
  • Sharing your username and password with a group. Accountability for group access is extremely problematic. You could end up sharing the blame for, or cost of, activity for which you were not responsible.
  • Attempting more than five times to enter your username and password. This will generally result in your account being automatically locked out.

Password protection

Do
  • Write down seldom used passwords provided that any paper copy is stored securely and destroyed when no longer needed. Suitable secure storage would include a sealed envelope within a home safe.
  • Check for a 'closed' padlock in the lower right-hand corner of your browser and that 'http:' has changed to 'https:' on the address bar before entering your password. This indicates that a secure channel has been provided by your service agency.
  • Install a firewall, antivirus and anti-spyware software on computers that you intend to use online services from and keep these and your operating system updated.

Avoid
  • Using online services from 'un-trusted' or shared computers such as Internet cafes.
  • Using a password on an account for secure online services that you also use for low-security purposes (e.g. webmail logon).
  • Writing a password on sticky notes, desk pads, calendars, or storing it online, where it can be accessed by others.
  • Revealing your password to any other person. (You will never be asked for your password by a legitimate system administrator).
  • Storing your username and password within your browser.

Sample methods for creating safe and memorable passwords

There are a number of ways to create safe and memorable passwords. The following examples show two popular techniques.

Method 1

Start with a meaningful phrase or saying and then apply rules. The following is an example of this technique:

a. The short phrase is 'My favourite place in New Zealand is Auckland'.

b. Rule number 1 is to use the first letters of each word. The phrase in our example yields the password; MfpiNZiA.

c. Rule number 2 is to apply character substitutions such as a=@, i=1. (Don't use this rule alone with a single word as this is easily broken)

d. Combine rules 1 and 2 to add symbols and numbers to this password. In this example the password then becomes Mfp1NZ1@.


Method 2

Combine two or three short words with capitalisation and symbols. One or more rules can then be applied to further enhance the password. The benefit of this approach is that passwords can often be 'sounded out', making them more memorable. The following are examples of this technique:

a. Use the words 'top 80 percent' to create 'toP8TY%'.

b. Use the words 'down' and 'bat' to create 'dOwn#B@t'.

c. Apply a rule that reverses the first word. In the examples above the passwords would then become 'Pot8TY%' and 'nwOd#B@t'.

NOTE -

  1. Simply using character substitution on a simple dictionary word or name may not create a safe password.
  2. Do not use any of the above examples in real situations.

[ Previous ][ Next ]