The current version, published in December 2018, directs that agencies (other than those
classified as Confidential, Secret and Top Secret for which more stringent rules are required): "Should implement a password policy enforcing either a minimum password length of 16 characters with no complexity requirement; or a minimum password length of 10 characters."
In both cases passwords should consist of at least three of the following character sets: Lowercase characters (a-z); uppercase characters (A-Z); digits (0-9); and punctuation and special characters.
Additionally, users should: Ensure passwords are changed at least every 90 days; prevent system users from changing their password more than once a day; check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements; and force the system user to change an expired password on initial logon or if the password is reset.
Although the NZISM has been regularly updated, these requirements are identical to those in the oldest version available on the GCSB website, which is dated November 2015.
It surprises many users to learn that any reasonable computer system does not store their
password. What it stores is an encrypt of the password: the result of a complex mathematical algorithm that turns the password into a long binary number. The encryption is a one-way process, and it is not possible to get from that number back to the original password. Instead, when you key in your password as you log in, your input is put through the same encryption process and the result is compared with the stored value. If they match, you are granted access; if not, access is denied.
This is the reason your IT department cannot (or certainly should not) be able to tell you what your lost password is; since it cannot readily get from the stored value to the original password, the response is to require you to set a new password.
The only way to recover a lost password is by trial-and-error: by guessing what it might be, encrypting that guess, and comparing that encrypt with the stored value. Guessing an unknown password is feasible in practice only if the cracker has access to the stored encrypt and can use an automated procedure on another computer to make many thousands of guesses. It follows that (s)he must already have cracked the system on which your password encrypt is stored, and in that case the horse has already bolted.
What about the requirement for passwords to expire? That originated because early computers were so slow that given a password encrypt, it would take weeks of trial-and-error to guess the password. A back-of-envelope calculation suggested that a reasonable password could survive at least three months of such attempts, so passwords were allowed a lifetime of three months.
The world has moved on. The NZISM asserts that "a simple eight-letter password can today be bruteforced in minutes by software freely available on the internet". So the key to computer security in 2019 is not that you should routinely change your password, but that your IT department should make sure that crackers cannot get hold of its encrypt.
Given these basic facts, official advice has been changing. The United Kingdom Government Communications Headquarters (GCHQ) published Password Guidance: Simplifying Your Approach in 2015, advising that "enforcing the requirement for complex character sets is not recommended" and "regular password changing harms rather than improves security" (that means you, and your scrap of paper or Post-It note).
The US National Institute of Standards and Technology (NIST) issues IT security policies for US Government organisations. The current version of the NIST Digital Identity Guidelines, published in June 2017, has also abandoned both password complexity and password expiry: Verifiers should not impose other composition rules (e.g. requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorised secrets; Verifiers should not require memorised secrets to be changed arbitrarily (e.g.
periodically); However, verifiers shall force a change if there is evidence of compromise of the authenticator.
The NIST guidelines very sensibly note that: "Highly complex memorised secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down."
It is clear from their moderate and practical proposals that the GCHQ and NIST have heeded expert advice, research both published and unpublished, and feedback from users who are required to live with their policies.
Why then, almost four years after the publication of the GCHQ recommendations and two years after the finalisation of the NIST guidelines, is New Zealand's GCSB unwilling to make similar changes to reduce the frustration caused by its policies?
The disturbing conclusion, given its role as the government's eavesdropping agency, is the GCSB is apparently not listening.
• Ross Boswell is a pathologist and physician in the public hospital system
