Australian government password rules are insecure nonsense

The agencies dedicated to “protecting our secrets” are insisting on a password security method that even the Daily Mail knows is nonsense, writes John Quiggin.

I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and they must contain a mixture of alphanumeric and special characters (this is called a composition rule)

You don’t need to be a cybersecurity expert to know that this is nonsense. Comics like XKCD have been mocking special character passwords for years. As is well known a long but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter p@ssw0rd123456 with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy).

Password Strength by XKCD

The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST)  came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.

To quote the Sophos security site, “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.”

Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a month ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.

ASD enforcing outdated advice

I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password).  But lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.

So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that its security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.

Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter.  The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan “Reveal their secrets, protect our own”).

In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300-page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.

Given that ASD is our representative in the “Five Eyes” Anglospheric intelligence agreement, I would have expected it to have access to the best available advice from the US. But apparently, they don’t even read the trade press.

I haven’t read the rest of the manual and wouldn’t be qualified to assess it in any case. But if the agency responsible for our  national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to “reveal their secrets”.

This article first appeared in our sister publication, Crikey.

  • David Furphy

    I agree the 90 day change rule is stupid and makes one wonder about rest of document.

    It’s worth noting however, that on page 192 it states the complexity rule (uppercase, symbol etc) is only required if the password is less than 13 characters (15 for Top Secret). So your “thisgovernmenthasnochanceofwinning” passphrase does actually comply with the guidelines. It makes sense to require EITHER a long password OR a complex one – both can achieve the required resistance to hacking.