ASD password policy best practices

Australian businesses are juggling as many as 85 different passwords. To take greater control of their password security, they must look to the Australian Cyber Security Centre (ACSC) for guidance. The ACSC is the nation’s leading agency on cyber security. The ACSC is hosted by the Australian Signals Directorate (ASD), and produces the Australian Government Information Security Manual (ISM). The ISM provides practical guidance on how organisations can secure their data against cyber threats. While organisations are not required by law to comply with the ISM, many businesses turn to this security manual for advice and recommendations. You can find the complete manual on the ACSC’s official website. 

The ACSC’s password policy best practices can be found in the Authentication hardening section of the ISM. The document points out that single-factor authentication (the password), is no longer suitable for protecting sensitive information. Organisations should implement multi-factor authentication to confirm a user’s identity. If multi-factor authentication cannot be implemented in a system, the ISM recommends using passphrases as the single-factor authentication. If passphrases cannot be implemented, the ISM recommends the strongest password length and complexity settings supported by a system.  

The average Australian has 14 passwords that have been reused across multiple services. Following the Collection 1-5 data dump, the ACSC asked organisation to “implement a policy whereby staff do not use their corporate credentials on public websites.” Security training can help people understand the dangers of reusing their corporate credentials, but it cannot stop this activity.  

What organisations can do is trigger password resets for users if they suspect password reuse. The ACSC also advises users to check if their accounts and passwords have been comprised via the Have I Been Pwned website. An alternative to this time-consuming process is a compromised password deny list.  

You can enhance your password settings by blocking leaked passwords. Blocking the use of compromised passwords in Active Directory allows you to relax policy requirements such as character complexity, and expiration periods, while maintaining your desired level of security. 

Specops Software offers Breached Password Protection, an service with a continuously updated list of vulnerable passwords. Our password solution support passphrases, and multi-factor authentication for self-service password resets. Contact us today to see how we can help you achieve ASD Password Policy best practices.